Open Bug 1810123 Opened 1 year ago Updated 1 year ago

X-Content-Type-Options: nosniff does not prevent sniffing of MP3 file

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Version:
Firefox 108
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: sjoerd-mozilla, Unassigned, NeedInfo)

Details

Steps to reproduce:

Serve an MP3 file with no Content-Type header, and with a X-Content-Type-Options: nosniff header. I used this PHP code:

<?php
header('Content-Type:');
header('X-Content-Type-Options: nosniff');
readfile('file.mp3');
?>

I opened this in Firefox 108.0.1 on MacOS and it showed a player for the MP3 file.

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0

Actual results:

A player was rendered, which began playing the audio file. It did MIME type sniffing, even though I specified X-Content-Type-Options: nosniff.

Expected results:

The file should be downloaded. Since I specified X-Content-Type-Options: nosniff and no Content-Type header, Firefox should not be able to determine that this is an audio file.

The Bugbug bot thinks this bug should belong to the 'Core::Audio/Video: Playback' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core

I'm guessing we're still investing in content sniffing to figure out what this file is so we can provide the best user experience. Paul any thoughts here?

Flags: needinfo?(padenot)
Severity: -- → S4
You need to log in before you can comment on or make changes to this bug.