W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] First or last Content-Type header?

From: Bil Corry <bil@corry.biz>
Date: Tue, 02 Jun 2009 11:25:54 -0500
Message-ID: <4A255292.6080002@corry.biz>
Adam Barth wrote on 6/2/2009 3:17 AM: 
> Now, consider the reverse:
> 
> Content-Type: image/gif
> Content-Type: text/html
> 
> In this case, IE renders the image correctly, but Firefox and Chrome
> don't show the image.  This is less likely to occur on the web because
> it doesn't work in Firefox (e.g., >20% of the market).

It's less likely to occur legitimately, but more likely to occur under a header injection scenario.  For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html:

	http://www.corry.biz:40100/

In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered.  It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case.


- Bil


[1] Image from: http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589
Received on Tuesday, 2 June 2009 09:25:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:12 UTC