[whatwg] Editorial: Sec. 4.9 -- Sniffing

In section 4.9 [1]

"It is imperative that the rules in this section be followed exactly.
When two user agents use different heuristics for content type
detection, security problems can occur. For example, ..."

I'm expecting an example of a security problem arising due to two user
agents using different heuristics. But what follows isn't very
focused:

"...if a server believes a contributed file to be an image (and thus
benign), but a Web browser believes the content to be HTML (and thus
capable of executing script), the end user can be exposed to malicious
content, "

Malicious content.... that's bad...

"...making the user vulnerable to cookie theft attacks and other
cross-site scripting attacks."

I guess so.

The bit about the two user agents never materializes: We have just a
server and a user agent. The example describes a server "believing"
the file to be "img/xxx" and a web browser believing something else. I
guess the server must express its belief by sending  a Content-Type
header. Or is the example for the case where it doesn't? The server
could be misinformed, since it's a "contributed file". So I can see a
general opportunity for vulnerability, but I don't see the concrete
one. Even after applying both my brain cells.

-- 
Hugh

[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/section-content-type-sniffing.html#content-type5

Received on Friday, 16 November 2007 18:44:12 UTC