[whatwg] First or last Content-Type header?

Bil Corry bil at corry.biz
Tue Jun 2 16:24:20 PDT 2009

Den.Molib wrote on 6/2/2009 4:19 PM: 
> Bil Corry wrote:
>> It's less likely to occur legitimately, but more likely to occur under a header injection scenario.  For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html:
>> 	http://www.corry.biz:40100/
>> In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered.  It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case.
> 1. The server or the script language you used to inject the payload may
> be replacing the header when you add the second header.

It may, but then there wouldn't be two headers and falls outside the scope of this discussion.

> 2. Browsers in widespread use take into account the last header.

Yes, Adam has made this clear; only IE differs.

> Thus, presending a header is not a method to protect the app.

Are you referring to current browser behavior?  Or the proposed content-sniffing algorithm?  If you're talking about current browser behavior, then it does work for IE.

>> Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing.  Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct?
> How do you send as plain text html content (eg. samples of malicious
> javascript) if using just heuristics?
> Or simply send a html-howto in plain text.

The server should provide a single content-type header that specifies text/plain.  In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain.

And to be clear, if the content-sniffing draft decides to use the last header because it interoperates with the most sites, then I get that.  I just don't want to see it using a less secure method just because that's what 4 out 5 browsers currently do.

- Bil

More information about the whatwg mailing list