- From: Domenic Denicola <notifications@github.com>
- Date: Thu, 13 May 2021 09:32:15 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/633/840678269@github.com>
> I cannot find any information of what kind of attacks would be possible due to mime type sniffing on images in a Spectre-based world. Could you elaborate more on this? See https://github.com/annevk/orb/ > Could you give an example of how a potential attack could look like that is possible when the jxl magic gets added to the mimesniff spec and not possible when it does not get added there? Consider a data file which is not JXL, but gets sniffed as it. It has its content type set to something like `application/vnd.bank.data`, not `image/jxl`. By doing `<img src="https://bank.example/sensitive-user-data.bin">` on an attacker's site, `sensitive-user-data.bin` is brought into the attacker's process. They can then use Spectre to read that data. If instead the browser required that `sensitive-user-data.bin` had `image/jxl` before it tried to decode the image, then it would not be brough into the attacker's process. This is fairly fundamental modern security hygeine, so I'm a bit surprised that you all haven't encountered it before. It's been encoded into the guidelines, which are there for a reason. It's a bit tiring having to educate folks about this; the point of the guidelines is to make it clear how the web is intended to work going forward. I hope you can accept that they were added for good reason, and follow them. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/633#issuecomment-840678269
Received on Thursday, 13 May 2021 16:32:28 UTC