Re: [whatwg] First or last Content-Type header?
On Mon, Jun 1, 2009 at 2:55 PM, Den.Molib den.mo...@gmail.com wrote: The only case of double headers I can think of is when using scripts that set a content-type, then try to set it again and the language itself don't prevent it. I think the right option in such case would be to follow the last one, as it's the one provided nearer the content. On Mon, Jun 1, 2009 at 4:25 PM, Bil Corry b...@corry.biz wrote: And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent? On Tue, Jun 2, 2009 at 11:53 AM, Bil Corry b...@corry.biz wrote: Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing. Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct? Den.Molib den.mo...@gmail.com 1. The server or the script language you used to inject the payload may be replacing the header when you add the second header. 2. Browsers in widespread use take into account the last header. Thus, presending a header is not a method to protect the app. On Tue, Jun 2, 2009 at 4:24 PM, Bil Corry b...@corry.biz wrote: Are you referring to current browser behavior? Or the proposed content-sniffing algorithm? If you're talking about current browser behavior, then it does work for IE. [...] The server should provide a single content-type header that specifies text/plain. In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain. And to be clear, if the content-sniffing draft decides to use the last header because it interoperates with the most sites, then I get that. I just don't want to see it using a less secure method just because that's what 4 out 5 browsers currently do. On Tue, Jun 2, 2009 at 4:51 PM, Aryeh Gregor simetrical+...@gmail.com wrote: Sending a text/plain Content-Type will not prevent any (default-configured) version of IE from interpreting the file as HTML, even if it's the *only* Content-Type header sent. This is why Adam Barth said The only browser that uses the first header more or less ignores it anyway. This apparently isn't fixed even in IE8: it insists on still upsniffing text/plain to text/html unless you use the nonstandard header Content-Type: text/plain; authoritative=true;. (The reason given is compatibility. As usual, Microsoft seems to have compatibility problems where all other browsers have been doing the right thing for years -- maybe because of their intranet usage share. IE8 at least won't treat image/* as HTML anymore.) So anyway, IE is irrelevant to this discussion. Reference: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx Based on this discussion, I'm not convinced there is a sufficiently compelling security rationale for convincing 4 out of 5 browsers to change their implementations. The only attack presented is a header injection attack. If I can inject headers into your HTTP responses, I can almost always perform a response splitting attack and obviate any protections we might hope to gain by using the first Content-Type header. Adam
Re: [whatwg] First or last Content-Type header?
On Wed, Jun 3, 2009 at 12:36 AM, Philip Taylor excors+wha...@gmail.com wrote: http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx - it's X-Content-Type-Options: nosniff now (and is used a bit in practice - it's on about 0.1% of pages from http://www.dotnetdotcom.org/, though about half of them are owned by Google or Microsoft). The ironic twist to this story is that HTTP responses that include the nosniff directive are 50% more likely to have a missing or incorrect Content-Type header. Adam
Re: [whatwg] First or last Content-Type header?
Adam Barth wrote: 2009/6/1 Bil Corry b...@corry.biz: Den.Molib wrote on 6/1/2009 4:55 PM: follow the last one, as it's the one provided nearer the content. And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent? If your site is vulnerable to header splitting, then you have bigger problems than injecting a Content-Type header. In any case, the four major browsers that actually look at the Content-Type header agree and use the last header. The only browser that uses the first header more or less ignores it anyway. Could you clarify that last point? Are you talking about IE? Which version? BR, Julian
Re: [whatwg] First or last Content-Type header?
On Tue, Jun 2, 2009 at 12:19 AM, Julian Reschke julian.resc...@gmx.de wrote: Adam Barth wrote: In any case, the four major browsers that actually look at the Content-Type header agree and use the last header. The only browser that uses the first header more or less ignores it anyway. Could you clarify that last point? Are you talking about IE? Which version? Sure. For the sake of discussion, let's say IE6 and IE7. Basically, if the Content-Type header contains a value IE knows about, then IE pretty much ignores the value and engages its sniffing algorithm. So, for example, if a response has: Content-Type: text/html Content-Type: image/gif and is really a GIF. IE will show the image correctly because it will see the text/html type, ignore it, and then sniff GIF from the content. By contrast, Firefox and Chrome will see the type image/gif type and show the image correctly. This is quite likely to occur on the web because it works in every browser. Now, consider the reverse: Content-Type: image/gif Content-Type: text/html In this case, IE renders the image correctly, but Firefox and Chrome don't show the image. This is less likely to occur on the web because it doesn't work in Firefox (e.g., 20% of the market). Adam
Re: [whatwg] First or last Content-Type header?
Adam Barth wrote: Sure. For the sake of discussion, let's say IE6 and IE7. Basically, if the Content-Type header contains a value IE knows about, then IE pretty much ignores the value and engages its sniffing algorithm. So, for example, if a response has: Content-Type: text/html Content-Type: image/gif and is really a GIF. IE will show the image correctly because it will see the text/html type, ignore it, and then sniff GIF from the content. By contrast, Firefox and Chrome will see the type image/gif type and show the image correctly. This is quite likely to occur on the web because it works in every browser. Now, consider the reverse: Content-Type: image/gif Content-Type: text/html In this case, IE renders the image correctly, but Firefox and Chrome don't show the image. This is less likely to occur on the web because it doesn't work in Firefox (e.g., 20% of the market). Thanks! BR, Julian
Re: [whatwg] First or last Content-Type header?
Adam Barth wrote on 6/2/2009 3:17 AM: Now, consider the reverse: Content-Type: image/gif Content-Type: text/html In this case, IE renders the image correctly, but Firefox and Chrome don't show the image. This is less likely to occur on the web because it doesn't work in Firefox (e.g., 20% of the market). It's less likely to occur legitimately, but more likely to occur under a header injection scenario. For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html: http://www.corry.biz:40100/ In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered. It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case. - Bil [1] Image from: http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589
Re: [whatwg] First or last Content-Type header?
On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry b...@corry.biz wrote: It's less likely to occur legitimately, but more likely to occur under a header injection scenario. As I wrote before in this thread, if the attacker can inject headers, there are far more severe attacks than changing the type of an HTTP response. Adam
Re: [whatwg] First or last Content-Type header?
Adam Barth wrote on 6/2/2009 11:47 AM: On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry b...@corry.biz wrote: It's less likely to occur legitimately, but more likely to occur under a header injection scenario. As I wrote before in this thread, if the attacker can inject headers, there are far more severe attacks than changing the type of an HTTP response. That may be true, but changing the content-type is a very serious issue, as you yourself point out in the draft we're discussing: When a user agent uses different heuristics for media type detection than the server expects, security problems can occur. For example, if a server believes that the client will treat a contributed file as an image (and thus treat it as benign), but a user agent believes the content to be HTML (and thus privileged to execute any scripts contained therein), an attacker might be able to steal the user's authentication credentials and mount other cross-site scripting attacks. from: http://www.ietf.org/internet-drafts/draft-abarth-mime-sniff-01.txt Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing. Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct? - Bil
Re: [whatwg] First or last Content-Type header?
Bil Corry wrote: It's less likely to occur legitimately, but more likely to occur under a header injection scenario. For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html: http://www.corry.biz:40100/ In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered. It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case. 1. The server or the script language you used to inject the payload may be replacing the header when you add the second header. 2. Browsers in widespread use take into account the last header. Thus, presending a header is not a method to protect the app. Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing. Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct? - Bil How do you send as plain text html content (eg. samples of malicious javascript) if using just heuristics? Or simply send a html-howto in plain text.
Re: [whatwg] First or last Content-Type header?
Den.Molib wrote on 6/2/2009 4:19 PM: Bil Corry wrote: It's less likely to occur legitimately, but more likely to occur under a header injection scenario. For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html: http://www.corry.biz:40100/ In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered. It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case. 1. The server or the script language you used to inject the payload may be replacing the header when you add the second header. It may, but then there wouldn't be two headers and falls outside the scope of this discussion. 2. Browsers in widespread use take into account the last header. Yes, Adam has made this clear; only IE differs. Thus, presending a header is not a method to protect the app. Are you referring to current browser behavior? Or the proposed content-sniffing algorithm? If you're talking about current browser behavior, then it does work for IE. Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing. Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct? How do you send as plain text html content (eg. samples of malicious javascript) if using just heuristics? Or simply send a html-howto in plain text. The server should provide a single content-type header that specifies text/plain. In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain. And to be clear, if the content-sniffing draft decides to use the last header because it interoperates with the most sites, then I get that. I just don't want to see it using a less secure method just because that's what 4 out 5 browsers currently do. - Bil
Re: [whatwg] First or last Content-Type header?
On Tue, Jun 2, 2009 at 7:24 PM, Bil Corryb...@corry.biz wrote: The server should provide a single content-type header that specifies text/plain. In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain. Sending a text/plain Content-Type will not prevent any (default-configured) version of IE from interpreting the file as HTML, even if it's the *only* Content-Type header sent. This is why Adam Barth said The only browser that uses the first header more or less ignores it anyway. This apparently isn't fixed even in IE8: it insists on still upsniffing text/plain to text/html unless you use the nonstandard header Content-Type: text/plain; authoritative=true;. (The reason given is compatibility. As usual, Microsoft seems to have compatibility problems where all other browsers have been doing the right thing for years -- maybe because of their intranet usage share. IE8 at least won't treat image/* as HTML anymore.) So anyway, IE is irrelevant to this discussion. Reference: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
Re: [whatwg] First or last Content-Type header?
The only case of double headers I can think of is when using scripts that set a content-type, then try to set it again and the language itself don't prevent it. I think the right option in such case would be to follow the last one, as it's the one provided nearer the content. So I vote for using the last one. PS: Interestingly, this behavior could be used to send xhtml (and get it shown on IE) without sending different headers to each browser: Content-Type: text/html Content-Type: application/xhtml+xml
Re: [whatwg] First or last Content-Type header?
Den.Molib wrote on 6/1/2009 4:55 PM: follow the last one, as it's the one provided nearer the content. And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent? - Bil
Re: [whatwg] First or last Content-Type header?
2009/6/1 Bil Corry b...@corry.biz: Den.Molib wrote on 6/1/2009 4:55 PM: follow the last one, as it's the one provided nearer the content. And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent? If your site is vulnerable to header splitting, then you have bigger problems than injecting a Content-Type header. In any case, the four major browsers that actually look at the Content-Type header agree and use the last header. The only browser that uses the first header more or less ignores it anyway. Adam
Re: [whatwg] First or last Content-Type header?
On 30 May 2009, at 23:20, Adam Barth wrote: In editing the content sniffing Internet Draft today, I noticed the draft uses the *first* Content-Type header. Internet Explorer uses the first Content-Type header, but Firefox and Google Chrome use the last Content-Type header. (I don't recall off-hand which Safari or Opera use.) Because the sniffing algorithm is more similar to the algorithms used by Firefox and Google Chrome, I've changed this aspect to match them as well. Firefox, Safari and Opera use the last header in all cases where there is a header that is only expected to appear once (i.e., doesn't take a #rule as a value), and have a list of all headers that they expect to appear only once. IE use the first header in all cases where it doesn't expect the header to appear more than once (i.e., a header like X-Foobar appearing twice returns the value of the first one). I don't know about Chrome, because that only appeared after I last did any work on HTTP parsing (but it normally follows Firefox from the small amount of experimentation I've done with it since). I, on the whole, would be tempted to take the first header, and use a list of headers that you expect to only appear once (i.e., a mix of behaviours). -- Geoffrey Sneddon http://gsnedders.com/
Re: [whatwg] First or last Content-Type header?
On Sun, May 31, 2009 at 4:55 AM, Geoffrey Sneddon foolist...@googlemail.com wrote: I, on the whole, would be tempted to take the first header, and use a list of headers that you expect to only appear once (i.e., a mix of behaviours). Is there a particular reason why you think we should use the first Content-Type header? It seems like 4/5 browsers prefer the last Content-Type header. Adam
Re: [whatwg] First or last Content-Type header?
On 31 May 2009, at 12:55, Geoffrey Sneddon wrote: IE use the first header in all cases where it doesn't expect the header to appear more than once (i.e., a header like X-Foobar appearing twice returns the value of the first one). I don't think this is quite true, actually. It doesn't always use the first header, I don't think (from memory). Try: Content-Type: jkfjkdsfjdsf Content-Type: text/xml Content-Type: text/plain I think it'll use text/xml as the first valid value (and in the case of other browsers using the last header gives compat. with the majority of the content that relies upon this behaviour). It's probably simplest just using the last header, actually, then. I should probably try playing around with HTTP parsing again some more… -- Geoffrey Sneddon http://gsnedders.com/
