User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.82 Safari/537.36 Steps to reproduce: 1. Imagine a server which will give you some txt error on every request if there is no hendler for it. For example, http://www.example.com/aaaa and http://www.example.com/aaaa.html will give you pages with same context, say text like: Error page not found %url 2.Server will not set the content-type header (for some reasons) for such pages 3. If someone could alter the url to something like this: http://www.example.com/aaaa.html?<script>alert(1)</script> then XSS will occure, since firefox will render the text without content-type header based only on extension of requested resource I found it pretty serious as many web developers rely on browser's rendering capibilites (for example, look at latest chrome or internet explorer) Actual results: So, shortly: FIrefox browser will render document without content-type header in repsonce based only on the extension of the requested document (html vs anything else) Expected results: I think, the best solution is to render such documents as text/plain regardless of document's extension
I don't think we're basing this on the extension, but probably "sniffing" the content as allowed in the HTTP spec for documents without a Content-Type: https://www.w3.org/Protocols/rfc2616/rfc2616-sec7.html#sec7.2.1 Breaking that behavior and switching to text/plain (or worse, the application/octet-stream suggested in the spec) will break lots of real-world pages. Echoing user input back in an error message like this is a well known (perhaps the most basic) XSS vector that server authors need to deal with.
Component: Untriaged → Networking
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.