- From: Hugh Winkler <hughw@wellstorm.com>
- Date: Fri, 16 Nov 2007 20:44:12 -0600
In section 4.9 [1] "It is imperative that the rules in this section be followed exactly. When two user agents use different heuristics for content type detection, security problems can occur. For example, ..." I'm expecting an example of a security problem arising due to two user agents using different heuristics. But what follows isn't very focused: "...if a server believes a contributed file to be an image (and thus benign), but a Web browser believes the content to be HTML (and thus capable of executing script), the end user can be exposed to malicious content, " Malicious content.... that's bad... "...making the user vulnerable to cookie theft attacks and other cross-site scripting attacks." I guess so. The bit about the two user agents never materializes: We have just a server and a user agent. The example describes a server "believing" the file to be "img/xxx" and a web browser believing something else. I guess the server must express its belief by sending a Content-Type header. Or is the example for the case where it doesn't? The server could be misinformed, since it's a "contributed file". So I can see a general opportunity for vulnerability, but I don't see the concrete one. Even after applying both my brain cells. -- Hugh [1] http://www.whatwg.org/specs/web-apps/current-work/multipage/section-content-type-sniffing.html#content-type5
Received on Friday, 16 November 2007 18:44:12 UTC