Limitations of IE8 type-sniffing opt-out from Philip Taylor on 2008-09-03 (public-html@w3.org from September 2008)

From: Philip Taylor <pjt47@cam.ac.uk>
Date: Wed, 03 Sep 2008 12:06:45 +0100
To: HTML WG <public-html@w3.org>
Message-ID: <48BE6FC5.8060705@cam.ac.uk>

As mentioned in 
http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx 
IE8 beta 2 supports "X-Content-Type-Options: nosniff" (previously called 
"Content-Type: ...; authoritative=true", and discussed around 
http://lists.w3.org/Archives/Public/public-html/2008Jul/0001.html), 
which may be of interest to people here.

 From that blog post: "Sending the new X-Content-Type-Options response 
header with the value nosniff will prevent Internet Explorer from 
MIME-sniffing a response away from the declared content-type."

As far as I can tell, this only works in a very limited set of cases. It 
can prevent a text/plain document from being sniffed as text/html, but I 
haven't found any other cases where it stops the Content-Type being ignored.

http://philip.html5.org/tests/ie8/cases/content-type-nosniff.html has 
some examples:

* Images used in <img> are rendered according to the file's content, 
regardless of Content-Type and nosniff.

* Images used in <object> are rendered according to the file's content, 
regardless of Content-Type and nosniff, iff the <object> has one of the 
accepted image 'type'-attribute values (e.g. image/jpeg, image/gif; but 
oddly *not* image/png).

* Scripts are executed as JScript/VBScript according to the <script 
type> attribute (defaulting to JScript), regardless of Content-Type and 
nosniff.

* <link rel="stylesheet">s are processed as CSS, regardless of 
Content-Type and nosniff.

The obvious danger is that someone will start sending the nosniff header 
for every file on their server, and test that it works fine in IE8; then 
for IE10, Microsoft will decide that e.g. allowing text/plain to be 
executed as JScript via <script> is insecure, but they can't trigger 
opt-out on the old nosniff header because it will break a load of sites, 
so it'll need a whole new header 
("X-Content-Type-Options-I-Really-Mean-It: nosniff").

(It seems it would have to be a new header, not a new value for 
X-Content-Type-Options, because no value other than "nosniff" will be 
accepted by IE8 to disable sniffing, and sites will want to work as 
securely as possible in both IE8 and IE10.)


Are there any other type-sniffing cases that are worth testing? Have I 
made any mistakes in my current testing? Am I wrong in my assumptions 
about where IE8's sniffing opt-out ought to opt out of sniffing instead 
of being ignored?


On a slightly related note: since I couldn't find this information 
trivially, it might be nice if somewhere (maybe in the HTML5 spec?) 
there was a list of all the cases where a resource can be interpreted by 
a (conforming) UA contrary to its Content-Type, to help people design 
secure sites by understanding exactly when the declared types might be 
overruled.

-- 
Philip Taylor
pjt47@cam.ac.uk

Received on Wednesday, 3 September 2008 11:07:23 UTC