All geek questions in one place

IE and Content-disposition inline vs. extension-token

Preamble

Thus, IE makes a sniff of the Mime type . This piece of old news.

Suggestions on how to deal with it, as a rule, are related to "supplying IE proxies of the type of content" (i.e. nothing that is text / regular or application / octet-stream) or "add extraneous data at the beginning of the file, which definitely refers to the type you serve. "

Now I'm working on an application that should allow message attachments (for example, in email messages), sometimes appear in a string (again, like in email messages), and we want to close the XSS vectors. IE mime sniffing (in unpatched IE6-, which I have to support, for example IE6 / Win2000), is one of these vectors - a text/plain file with html content will run as html. Recoding is not an option at the moment, changing attachments that the user has provided can only happen if there is absolutely no doubt about the file’s maliciousness - and someone might want to send HTML as text.

Now the Microsoft MSDN article implies that the situation may be easier to fix than advertised:

If Internet Explorer knows the Content Type and there is no Content-Disposition Data , Internet Explorer performs a "MIME sniff", [...]

Excellent!

Except that I don’t have IE and I don’t have the current tools to install it securely (I understand that this is a rather sad state for a web developer, I hope to fix it soon), and this is a gray theory that I cannot quite seems to be confirmed one way or another. Local sources say that the line is hogwash - IE will mime sniff everything that is Content-Disposition: inline / <default> and is not specific enough for its tastes in -Type .

But what about x- * ( 'extension-token' in RFC )?

Google’s attempt to understand how the browser handles Content-Disposition: <extension-token> has yielded nothing (although maybe I’m just mistaken, my understanding of Google has been seriously slipping away recently). I found one question that looked promising, but turned out to be a misunderstanding on the side of the thread author, which meant that the train of thought was never really there.

Question (s)

Does IE Mime really smell when you explicitly pass Content-Disposition: inline ?

If yes: does anyone know how the browser handles Content-Disposition: <extension-token> ?

If they do it in a way that is benign for my purposes, assuming that it is a default synonym (effectively "inline", although I heard that it is not defined anywhere?), Is it enough for IE not to sniff Mime ? Or am I really shooting myself in the foot, thinking about chasing this path?

+4
source share
3 answers

Note:

"Note: In Internet Explorer 6 for Windows XP Service Pack 2 (SP2), the MIME type" text / plain "is not ambiguous and is never displayed as HTML in a restricted area, even if the content indicates that it is the correct format."

+3
source

I remember how to correctly return text using Content-disposition: attachment , but I'm not sure if this is appropriate for your case.

But this will certainly be useful:

You do not need Windows (r) to install ie6. Try ies4linux

+2
source

I found http://www.browserstack.com/ to be VERY helpful. You can use any version of any browser on one of your servers via flash-application.

it’s a paid service, but you can test it for free for three months (sponsored by Microsoft, because they know that you have worked such tools for Internet Explorer this way) using the link found on modern.ie

-1
source

Source: https://habr.com/ru/post/1302719/

More articles:


All Articles