W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: text/sandboxed-html

From: Collin Jackson <collin@collinjackson.com>
Date: Tue, 26 Jan 2010 14:32:35 -0800
Message-ID: <986207e71001261432x415a4148pccd4aea2cd5a4069@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: "Helen Wang (MSR)" <helenw@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On Tue, Jan 26, 2010 at 2:14 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> I have been unable to find any existing browsers that are willing to
>> sniff text/html-sandboxed as HTML. I have tried various versions of
>> IE, Firefox, Google Chrome, Safari, and Opera.
>
> I am pretty sure that MSIE will sniff it if a trailing /foo.html or
> ;foo.html segment is spotted in the path. Because of mechanisms such
> as Apache PATH_INFO or PHP parameter passing rules, such trailing
> segments can often be appended freely.

Good point. This does seem possible, but quite annoying, to mitigate
server-side.

Another related issue is that Flash Player is willing render
text/html-sandboxed as a Flash movie, and Flash movies run with the
privileges of the hosting site. So, a victim might need to ensure that
the content doesn't parse as a valid Flash movie, at least until this
issue can addressed by Adobe (treating unrecognized mime types the
same as content served with Content-Disposition: attachment).

Collin Jackson
Received on Tuesday, 26 January 2010 22:47:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT