X-Content-Type-Options: nosniff does not prevent sniffing of MP3 file
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
People
(Reporter: sjoerd-mozilla, Unassigned, NeedInfo)
Details
Steps to reproduce:
Serve an MP3 file with no Content-Type header, and with a X-Content-Type-Options: nosniff header. I used this PHP code:
<?php
header('Content-Type:');
header('X-Content-Type-Options: nosniff');
readfile('file.mp3');
?>
I opened this in Firefox 108.0.1 on MacOS and it showed a player for the MP3 file.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0
Actual results:
A player was rendered, which began playing the audio file. It did MIME type sniffing, even though I specified X-Content-Type-Options: nosniff.
Expected results:
The file should be downloaded. Since I specified X-Content-Type-Options: nosniff
and no Content-Type
header, Firefox should not be able to determine that this is an audio file.
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Audio/Video: Playback' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•1 year ago
|
||
I'm guessing we're still investing in content sniffing to figure out what this file is so we can provide the best user experience. Paul any thoughts here?
Updated•1 year ago
|
Description
•