[whatwg] First or last Content-Type header?

Adam Barth wrote on 6/2/2009 11:47 AM: 
> On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry <bil at corry.biz> wrote:
>> It's less likely to occur legitimately, but more likely to occur under a header injection scenario.
> 
> As I wrote before in this thread, if the attacker can inject headers,
> there are far more severe attacks than changing the type of an HTTP
> response.

That may be true, but changing the content-type is a very serious issue, as you yourself point out in the draft we're discussing:

   When a user agent uses different
   heuristics for media type detection than the server expects, security
   problems can occur.  For example, if a server believes that the
   client will treat a contributed file as an image (and thus treat it
   as benign), but a user agent believes the content to be HTML (and
   thus privileged to execute any scripts contained therein), an
   attacker might be able to steal the user's authentication credentials
   and mount other cross-site scripting attacks.

   from: http://www.ietf.org/internet-drafts/draft-abarth-mime-sniff-01.txt


Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing.  Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct?


- Bil

Received on Tuesday, 2 June 2009 11:53:46 UTC