1498523 - Firefox sniffs html mime type despite "X-Content-Type-Options: nosniff"

Status: RESOLVED DUPLICATE of bug 1428473

(Firefox :: Security, enhancement)

Description

[Hanno Boeck]

I recently noticed that nosniff does not behave in a way most web admins will expect. Notably it doesn't disable mime sniffing in what I consider one of the most dangerous sniffing scenarios for XSS.

When sending out a file without a mime type and with nosniff set that contains HTML code the browser will sniff the mime type and render it as HTML.

Think of a scenario like this:
* A web application allows various forms of file uploads with a restricted list of allowed file formats that they consider safe, based on their extension.
* One of those file formats is not in the system's mime.types file, thus the web server cannot set a mime type automatically. (mime.types differs widely among distributions, therefore this is very plausible.)
* This will automatically lead to XSS via mime sniffing, as a user can upload a file that will be sniffed to HTML and there he can embed javascript.

I have several examples of real web applications where this is the case, though I'm in the process of disclosing this privately, so I won't name them yet. Until I learned about this I was under the impression that the nosniff header would prevent mime-sniffing based vulnerabilities, yet with the current behavior of firefox that's not the case.

One might argue that for safety reasons a web server should always send out a default mimetype for unknown file types. However notably in apache there's no such option, so that's not very practical.


Other browsers: Chrome will respect nosniff and will not render the file (it'll show it as text, which I believe is a safe way of treating a no-mimetype-file). Edge shows the same behavior as Firefox (I'll try to report it to them as well).

Given that Chrome behaves like this I think it's plausible that no major breakage will occur in any popular site or webapp.