Re: text/sandboxed-html

On Tue, Jan 26, 2010 at 2:14 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> I have been unable to find any existing browsers that are willing to
>> sniff text/html-sandboxed as HTML. I have tried various versions of
>> IE, Firefox, Google Chrome, Safari, and Opera.
>
> I am pretty sure that MSIE will sniff it if a trailing /foo.html or
> ;foo.html segment is spotted in the path. Because of mechanisms such
> as Apache PATH_INFO or PHP parameter passing rules, such trailing
> segments can often be appended freely.

Good point. This does seem possible, but quite annoying, to mitigate
server-side.

Another related issue is that Flash Player is willing render
text/html-sandboxed as a Flash movie, and Flash movies run with the
privileges of the hosting site. So, a victim might need to ensure that
the content doesn't parse as a valid Flash movie, at least until this
issue can addressed by Adobe (treating unrecognized mime types the
same as content served with Content-Disposition: attachment).

Collin Jackson

Received on Tuesday, 26 January 2010 22:47:42 UTC