- From: Collin Jackson <collin@collinjackson.com>
- Date: Tue, 26 Jan 2010 14:32:35 -0800
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: "Helen Wang (MSR)" <helenw@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On Tue, Jan 26, 2010 at 2:14 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote: >> I have been unable to find any existing browsers that are willing to >> sniff text/html-sandboxed as HTML. I have tried various versions of >> IE, Firefox, Google Chrome, Safari, and Opera. > > I am pretty sure that MSIE will sniff it if a trailing /foo.html or > ;foo.html segment is spotted in the path. Because of mechanisms such > as Apache PATH_INFO or PHP parameter passing rules, such trailing > segments can often be appended freely. Good point. This does seem possible, but quite annoying, to mitigate server-side. Another related issue is that Flash Player is willing render text/html-sandboxed as a Flash movie, and Flash movies run with the privileges of the hosting site. So, a victim might need to ensure that the content doesn't parse as a valid Flash movie, at least until this issue can addressed by Adobe (treating unrecognized mime types the same as content served with Content-Disposition: attachment). Collin Jackson
Received on Tuesday, 26 January 2010 22:47:42 UTC