W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2014

Re: [whatwg] AppCache Content-Type Security Considerations

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Mon, 12 May 2014 17:36:12 -0700
Message-ID: <CALx_OUC=+DjL9uE+twVuZFJkhEETed7qLVu1iCHxgMo2F2a5Pg@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg <whatwg@lists.whatwg.org>, "Eduardo' Vela <Nava>" <evn@google.com>, Ian Hickson <ian@hixie.ch>
>> Note that there _is_ still a content type check with appcache, it's just
>> done on the first few bytes of the file instead of on the metadata. (This
>> is IMHO how all file typing should work.)
>
> There's a big difference between the first few bytes of a file and the
> Content-Type HTTP header.  In many scenarios, the former is under the
> control of an attacker when the latter is not.

Yup, from the perspective of a significant proportion of modern
websites, MIME sniffing would be almost certainly a disaster. For
example, many websites rely on the ability to tell the browser that a
particular file should be interpreted as a profile image supplied by
the user, and not any form of "active" content.

Server-side validation does not help, because some formats do not have
unique signatures (e.g., CSV, plain text), while others can be
structured so that they are valid to more than one parser - say,
http://lcamtuf.coredump.cx/squirrel/.

While content sniffing might be a more fault-tolerant solution, I'm
pretty sure we can't go there without major casualties. In fact,
Microsoft spent several years to waltz out of content sniffing in
their browser, and C-T matching has been tightened up in most browsers
even on subsresources such as <script> or <style> to close a number of
significant security attacks (for example, it turns out that many
cross-origin HTML documents can be also parsed as CSS, with observable
side effects [1]).

/mz

[1] http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html
Received on Tuesday, 13 May 2014 00:36:58 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:20 UTC