- From: L. David Baron <dbaron@dbaron.org>
- Date: Mon, 23 Jun 2003 18:41:17 -0400
- To: www-tag@w3.org
On Monday 2003-06-23 12:58 -0700, Tim Bray wrote: > We're working on the contentEoverride-24 finding, and it has been > suggested that there are security implications in the case where a web > agent decides to ignore the media-type the server sent and decide to > handle the incoming data in some other fashion based on, for example, > peeking inside the data and guessing what it is. > > Whereas this is easy to believe, we'd like to see a specific scenario or > two showing how nefarious action or erroneous practice could lead to a > security breach. Consider a site behind a firewall that serves externally-supplied content (e.g., what was filled out on a feedback form, or incoming email to some general address) as text/plain. If implementations don't sniff, then one could assume that serving such content as text/plain eliminates the possibility of script being used to steal content from behind the firewall. However, if implementations sniff such content for being HTML-ish, treat it as text/html, and execute scripts contained in the content, content behind the firewall could be stolen. (This gets around cross-site scripting restrictions by planting the content inside the site whose security is breached. This requires some cooperation by the site itself, but doing something that could be expected to be safe.) -David -- L. David Baron <URL: http://dbaron.org/ >
Received on Monday, 23 June 2003 18:42:59 UTC