- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 24 May 2007 16:19:52 +0000 (UTC)
On Thu, 24 May 2007, Gervase Markham wrote: > Jon Barnett wrote: > > It's detrimental to the user when the user is denied content or a stylesheet > > for the content because a server is misconfigured. There are cases, such as > > CSS documents and images referenced by CSS documents, where ignoring > > Content-type is never harmful. in other cases, the harm can be mitigated by > > the rules in the spec. > > It's also detrimental to the user when they are put at security risk > because MIME types are not respected. > > Recent example: spammers, phishers and other sundry evildoers have > started attaching HTML attachments to Bugzilla installations, and using > them as redirectors to their sites, to avoid domain name blacklists in > spam filtering software. > > Obvious solution: if an attachment is uploaded by a user with no > permissions and its MIME type is one which contains script executed by > the browser (all HTML types, SVG, ...) then change it to "text/plain". > This is the least intrusive option - the attachment can still be viewed, > and someone with permissions can change the MIME type later after > checking the content. > > However, this doesn't protect anyone using IE, because IE claims to know > better and ignores Content-Type. Note that the HTML5 spec requires browsers not to convert text/plain to a more dangerous type (text/plain is either treated as text/plain or application/octet-stream according to the spec). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 24 May 2007 09:19:52 UTC