- From: Bil Corry <bil@corry.biz>
- Date: Tue, 02 Jun 2009 11:25:54 -0500
Adam Barth wrote on 6/2/2009 3:17 AM: > Now, consider the reverse: > > Content-Type: image/gif > Content-Type: text/html > > In this case, IE renders the image correctly, but Firefox and Chrome > don't show the image. This is less likely to occur on the web because > it doesn't work in Firefox (e.g., >20% of the market). It's less likely to occur legitimately, but more likely to occur under a header injection scenario. For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html: http://www.corry.biz:40100/ In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered. It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case. - Bil [1] Image from: http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589
Received on Tuesday, 2 June 2009 09:25:54 UTC