- From: Bil Corry <bil@corry.biz>
- Date: Tue, 02 Jun 2009 13:53:46 -0500
Adam Barth wrote on 6/2/2009 11:47 AM: > On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry <bil at corry.biz> wrote: >> It's less likely to occur legitimately, but more likely to occur under a header injection scenario. > > As I wrote before in this thread, if the attacker can inject headers, > there are far more severe attacks than changing the type of an HTTP > response. That may be true, but changing the content-type is a very serious issue, as you yourself point out in the draft we're discussing: When a user agent uses different heuristics for media type detection than the server expects, security problems can occur. For example, if a server believes that the client will treat a contributed file as an image (and thus treat it as benign), but a user agent believes the content to be HTML (and thus privileged to execute any scripts contained therein), an attacker might be able to steal the user's authentication credentials and mount other cross-site scripting attacks. from: http://www.ietf.org/internet-drafts/draft-abarth-mime-sniff-01.txt Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing. Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct? - Bil
Received on Tuesday, 2 June 2009 11:53:46 UTC