W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Content security model

From: James French <jfrench@denirostaff.com>
Date: Wed, 25 Jul 2012 22:42:13 +0000
Message-ID: <CAD0z36U9GjH4vRbTT_4dnfd2zN4s5fqpM9cHL-x25AkCyeTmZA@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
It occurs to me that a man-in-the-middle could change a Content-Type
header to trick a web service into a delivering scripted data.

1.) MITM uploads script.jpg to https2://legit-host/script.jpg
2.) Client requests /script.jpg from legit-host
3.) legit-host signs and delivers script.jpg with a Content-Type of: image/jpg
4.) MITM changes Content-Type header from image/jpg to text/html
5.) Client runs script.jpg with the permissions level of a script
running on legit-host

It's unlikely that this scenario would come up in practice, but it
does exist as a hypothetical vector.

On Wed, Jul 25, 2012 at 9:59 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
>
> 3) HTTP security controls should only secure content. Signing headers
> is not only difficult, it is often counterproductive. If a Web service
> depends on information in a header there is probably something wrong
>
Received on Thursday, 26 July 2012 08:49:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 July 2012 08:49:20 GMT