Re: [websec] Content sniffing

"Richard L. Barnes" <> Mon, 09 July 2012 23:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A4F1921F8636 for <>; Mon, 9 Jul 2012 16:19:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.596
X-Spam-Status: No, score=-106.596 tagged_above=-999 required=5 tests=[AWL=0.003, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oRm9McF1nZz1 for <>; Mon, 9 Jul 2012 16:19:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 842F821F8631 for <>; Mon, 9 Jul 2012 16:19:26 -0700 (PDT)
Received: from [] (port=50951) by with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1SoNFA-000FXw-0x; Mon, 09 Jul 2012 19:19:52 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=iso-8859-1
From: "Richard L. Barnes" <>
In-Reply-To: <>
Date: Mon, 9 Jul 2012 19:19:50 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Adam Barth <>
X-Mailer: Apple Mail (2.1278)
Subject: Re: [websec] Content sniffing
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Jul 2012 23:19:27 -0000

I haven't thought much about this, but a couple of thoughts:

The binary prologue means that the document is not valid HTML, so in principle, it shouldn't be accepted as HTML.  It makes you wonder what other stuff you could put in there that the browser would stuff into the DOM without it being obvious on the wire, say, to a proxy.  I'm imagining things like encrypted / compressed Javascript code that could be unpacked by the more obviously HTML part of the page.  

In a related vein, the "Text or Binary" section of draft-ietf-websec-mime-sniff says that nothing scriptable must come out of sniffing a binary blob.  Yet in this case, it produced "text/html", which is obviously scriptable.  


On Jul 9, 2012, at 5:05 PM, Adam Barth wrote:

> Why is this sniffing gone awry?  Nothing bad seems to have happened in
> this example.
> Adam
> On Mon, Jul 9, 2012 at 1:55 PM, Richard L. Barnes <> wrote:
>> Related to draft-ietf-websec-mime-sniff, an example of sniffing gone awry:
>> <>
>> It's a valid JPEG image that contains and HTML snippet in a comment segment.  As a result, when a browser loads the URL expecting an image, it renders the image content, and when it expects HTML, it skips the binary junk at the top and renders the HTML [*]. (In both cases, the server reports Content-Type text/html.)   What's even more startling is that Chrome helpfully adds the binary junk at the top as the first child of the <body> element in the parsed DOM!
>> --Richard
>> [*] At least in Chrome 20.0.1132.47
>> _______________________________________________
>> websec mailing list