Den.Molib wrote on 6/2/2009 4:19 PM: > Bil Corry wrote: >> It's less likely to occur legitimately, but more likely to occur under a >> header injection scenario. For example, here's a page that simulates >> serving an image from an untrusted user[1], with the correct content-type of >> image/x-ms-bmp, then a second (injected) content-type of text/html: >> >> http://www.corry.biz:40100/ >> >> In Firefox 3, the page renders as HTML and delivers its hidden JavaScript >> payload, but in Internet Explorer 8, the page renders as a BMP image with no >> payload being delivered. It seems to me that IE has the correct behavior, >> or at least the more desirable behavior in this case. >> > > 1. The server or the script language you used to inject the payload may > be replacing the header when you add the second header.
It may, but then there wouldn't be two headers and falls outside the scope of this discussion. > 2. Browsers in widespread use take into account the last header. Yes, Adam has made this clear; only IE differs. > Thus, presending a header is not a method to protect the app. Are you referring to current browser behavior? Or the proposed content-sniffing algorithm? If you're talking about current browser behavior, then it does work for IE. >> Perhaps the better choice would be to toss out the multiple content-headers >> entirely and rely exclusively on content-sniffing. Without the >> content-header, Firefox 3 correctly shows the image, and Internet Explorer >> incorrectly delivers the payload -- but your draft, if adopted, should fix >> that problem, correct? > > How do you send as plain text html content (eg. samples of malicious > javascript) if using just heuristics? > > Or simply send a html-howto in plain text. The server should provide a single content-type header that specifies text/plain. In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain. And to be clear, if the content-sniffing draft decides to use the last header because it interoperates with the most sites, then I get that. I just don't want to see it using a less secure method just because that's what 4 out 5 browsers currently do. - Bil
