Open Bug 710567 Opened 11 years ago Updated 5 months ago

open with .. Firefox


(Firefox :: General, defect)

8 Branch
Windows 7





(Reporter: literakl, Unassigned)


User Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243

Steps to reproduce:

When I click some link, if firefox does not handle this file type internally, it opens a dialog to select an action (open with, save as). It happens that some server is misconfigured and it returns wrong mime type for known format, so firefox opens this dialog instead of displaying content. E.g. I cannot display JPEG image, when server returns application/binary mime type.

Actual results:

I had to start an external program to display the image.

Expected results:

Add firefox to list of programs that can handle this format. If user selects this choice, then try to open it in firefox s current tab. It can then do some format detection like linux command "file". If it really does not know the format, then display it in binary form.
You can already choose Firefox.exe but that will create a loop because that opened Firefox.exe also can't handle the mime-type.

>It can then do some format detection like linux command "file"
content-type sniffing can be dangerous in the web and that's the reason why Gecko avoids that. Put a little bit JS in the file and deliver it with a jpeg extension and voila you have a big problem.

And are you sure that your example is a wrong content-type and not a content-disposition:attachment ?
Once I find such image, I will post more details. Recently I had an issue with open shell script. It is a text file, but firefox did not display it. It showed Open file dialog instead.


I understand security concerns. I do not know firefox internal infratsructure. As user I would be happy to have a chance to display any content in firefox directly. Either as text, supported format renderer or binary dump.

Btw what does happen, when I have <img src="url"> and server returns no mime type? Or if it is local file without extension? I think that Firefox has some heuristics in this case.
>does happen, when I have <img src="url"> and server returns no mime type?
All Http/1.0 and Http/1.1 server have to provide a content-type

Http/0.9, ftp://, file:// don't provide mime-types and Gecko is using content-sniffing.
The extension in the case of a local file is only a part of the detection.

A security example would be this:
An attacker uploads a html/javascript file in Facebook as image and Facebook accepts this file. The attacker points you now to this image. The attacker can now control your facebook Account if you are logged in and Gecko would use content-sniffing.

The imagelib in Gecko is doing already content.sniffing because this isn't dangerous. You can rename a .gif file to .jpg and Gecko/Firefox will display it.

and then there is and bug 57342
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.