[whatwg] First or last Content-Type header?

Adam Barth wrote on 6/2/2009 3:17 AM: 
> Now, consider the reverse:
> Content-Type: image/gif
> Content-Type: text/html
> In this case, IE renders the image correctly, but Firefox and Chrome
> don't show the image.  This is less likely to occur on the web because
> it doesn't work in Firefox (e.g., >20% of the market).

It's less likely to occur legitimately, but more likely to occur under a header injection scenario.  For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html:


In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered.  It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case.

- Bil

[1] Image from: http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589

Received on Tuesday, 2 June 2009 09:25:54 UTC