file type is wrongly recognized as .txt

VERIFIED INVALID

Status

()

VERIFIED INVALID
10 years ago
10 years ago

People

(Reporter: marun2, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3

FF 3.1 b 3
In this URL click on "jquery-1.3.2.js   117 KB ". The dialog shows jquery-1.3.2.js which is a "text document". I opened the same URL in IE8 and it recognizes it as ".js Javascript file".

Using web sniffer
http://web-sniffer.net/?url=http%3A%2F%2Fjqueryjs.googlecode.com%2Ffiles%2Fjquery-1.3.2.js&submit=Submit&http=1.1&gzip=yes&type=GET&uak=0

the content-disposition is attachment, and the file name ends with .js, so how come it recognizes as a text file?

Reproducible: Always

Steps to Reproduce:
1. Go to URL
2. Click on .js download
3. Resulting dialog box
Actual Results:  
It shows it is a text file to be downloaded, and displays icon for text files. It is a .js file.

Expected Results:  
.js file has different icon which is shown by IE8.
web sniffer tells you...

Content-Type:	text/plain; charset=us-ascii

If you want it to be treated as js it should be something like text/javascript
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID

Comment 2

10 years ago
Here is what happens when mozilla apps encounter text/plain:
https://developer.mozilla.org/en/How_Mozilla_determines_MIME_Types#section_3

And here is what happens when IE8's mime sniffing is exploited:
http://adblockplus.org/blog/the-hazards-of-mime-sniffing
(Reporter)

Comment 3

10 years ago
Is IE8 wrong then?
Name jquery-1.3.2.js 
Type JScript Script File, 117KB
From jqueryjs.googlecode.com
IE8 recognizes the content as .js file, based on the file extension, not based on the content-type, the content type may be spoofed (filename/extension can be spoofed also), so the determination Ie made on the basis of the actual file name that is going to download, which seems like IE8 is making correct interpretation in this case.

I visited this URL http://img337.imageshack.us/img337/9045/xssoj7.png
given in the second link, as test case, and IE8 only displayed the PNG image, not HTML and didnt execute any script.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Yes IE8 is wrong.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → INVALID
IE8 fixed one of the many security flaws (the example PNG above).

Here is a simple test page from the co-author of the acid2, acid3 tests and W3C Css working group about mime-types : http://hixie.ch/tests/adhoc/http/content-type/ .
(not that Gecko is right in all cases)
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.