Closed
Bug 1498523
Opened 6 years ago
Closed 6 years ago
Firefox sniffs html mime type despite "X-Content-Type-Options: nosniff"
Categories
(Firefox :: Security, enhancement)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1428473
People
(Reporter: hanno, Unassigned)
Details
I recently noticed that nosniff does not behave in a way most web admins will expect. Notably it doesn't disable mime sniffing in what I consider one of the most dangerous sniffing scenarios for XSS. When sending out a file without a mime type and with nosniff set that contains HTML code the browser will sniff the mime type and render it as HTML. Think of a scenario like this: * A web application allows various forms of file uploads with a restricted list of allowed file formats that they consider safe, based on their extension. * One of those file formats is not in the system's mime.types file, thus the web server cannot set a mime type automatically. (mime.types differs widely among distributions, therefore this is very plausible.) * This will automatically lead to XSS via mime sniffing, as a user can upload a file that will be sniffed to HTML and there he can embed javascript. I have several examples of real web applications where this is the case, though I'm in the process of disclosing this privately, so I won't name them yet. Until I learned about this I was under the impression that the nosniff header would prevent mime-sniffing based vulnerabilities, yet with the current behavior of firefox that's not the case. One might argue that for safety reasons a web server should always send out a default mimetype for unknown file types. However notably in apache there's no such option, so that's not very practical. Other browsers: Chrome will respect nosniff and will not render the file (it'll show it as text, which I believe is a safe way of treating a no-mimetype-file). Edge shows the same behavior as Firefox (I'll try to report it to them as well). Given that Chrome behaves like this I think it's plausible that no major breakage will occur in any popular site or webapp.
Reporter | ||
Updated•6 years ago
|
Group: firefox-core-security
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Updated•1 year ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•