[Bug 5776] Authors need more control over handling of embedded resources


Adam Barth <w3c@adambarth.com> changed:

           What    |Removed                     |Added
                 CC|                            |w3c@adambarth.com

--- Comment #7 from Adam Barth <w3c@adambarth.com>  2008-06-23 23:17:19 ---
(In reply to comment #3)
> So this is a request for a way to override the type of a resource in an
> <iframe> from the HTML side?

If we do this, we should carefully consider the security implications of
overriding the server-provided Content-Type.  For example, suppose a web site
lets users upload avatar images and serves the bytes of the uploaded images
with a Content-Type of image/gif.  Now suppose the attacker uploads an HTML
document as his or her avatar.  If the UA let's the attacker override the
server-provided Content-Type, the UA will execute the attacker's script in the
sites security context (i.e., the UA will have introduced an XSS vulnerability
into the site).

So some extent, sites already have to cope with browsers overriding the
server-provided Content-Type due to content sniffing.  Many sites have spent
extensive effort reverse engineering UA content sniffing algorithms.  For
example, Gmail pads text/plain attachments with 512 space characters to foil
IE's text/plain sniffer.  Explicitly overriding the Content-Type, say to
text/html, would defeat this countermeasure and introduce an XSS vulnerability
into Gmail.

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Monday, 23 June 2008 23:17:54 UTC