views:

325

answers:

2

This question, despite accepted-answer, was not answered. The reason it has an answer marked as accepted is because the bounty system, which I used, demands one. You are still welcome to answer this question if you know the answer (please do) - I will try to reputation-pay you in upvotes elsewhere. (Reputation purists may now throw rocks at me).


Preamble

So IE does Mime-Type sniffing. That part's old news.

Suggestions of how to combat it tend to be along the lines of 'supply a content-type IE trusts' (i.e. anything that isn't text/plain or application/octet-stream) or 'add extraneous data at the start of the file that is definitely of the type you're serving'.

Now, I'm working on an application that has to allow message attachments (like in e-mails), occasionally to be displayed inline (again like in e-mails), and we want to close up XSS vectors. IE's mime sniffing (in unpatched IE6-, which I must support, e.g. IE6/Win2000) is one of those vectors - a text/plain file with html content will trigger as html. Recoding isn't an option at this point, changing the attachments the user has provided can only happen if there is absolutely no doubt about the maliciousness of the file - and someone might want to send HTML as text.

Now, Microsoft's MSDN article implies the situation might be easier to fix than advertised:

If Internet Explorer knows the Content-Type specified and there is no Content-Disposition data, Internet Explorer performs a "MIME sniff," [...]

Great!

Except I don't have IE nor current means to reliably install it (I realise this is a fairly sad state for a webdeveloper to be in, I hope to fix this soon) and this is grey theory that I can't quite seem to get confirmed one way or the other. Local sources say that line is hogwash - IE will mime sniff anything that is Content-Disposition: inline / <default> and not specific enough for its tastes in -Type.

But what about x-* ('extension-token' in the RFC)?

Trying to google for how browsers handle Content-Disposition: <extension-token> hasn't yielded anything (though I may just be doing it wrong, my understanding of Google is seriously slipping lately). I found one question that looked promising, but turned out to be a misunderstanding on side of the thread author, meaning that the train of thought was never actually addressed there.

Question(s)

Does IE really Mime sniff if you expressly pass Content-Disposition: inline?

If so: Does anyone here know how browsers handle Content-Disposition: <extension-token>?

If they do this in a way that is for my purposes benign, by presuming it to be synonymous with the default (effectively 'inline', though I hear it's not defined anywhere?), is it specific enough for IE not to Mime sniff? Or am I actually shooting myself in the foot by thinking of pursuing this avenue?

+2  A: 

Note:

"Note In Internet Explorer 6 for Windows XP Service Pack 2 (SP2), the MIME type "text/plain" is not ambiguous, and is never rendered as HTML in the restricted zone, even if the content suggests that this is the correct format."

Julian Reschke
Yeah, I know about the SP2 patch (for lack of a better phrase). :) But you're right, that could've gone with a mention. Thanks.
pinkgothic
+1  A: 

I remember returning text properly with some Content-disposition: attachment, but I'm not sure if it fits Your case.

But this will surely be helpful:

You don't need Windows (r) to install ie6. Try ies4linux

naugtur
`Content-disposition:attachment` isn't an option, I'm afraid. (I do know IE doesn't mimetype sniff with that.) But, definitely thank you for ies4linux; while that doesn't want to work with my system at the moment (), I'll be sure to try that again elsewhere. It's good to know such a thing exists! [will upvote when I can, at daily cap at the moment]
pinkgothic
Don't panic with that upvoting stuff, I wasn't going to send any people to beat You up for not upvoting my answer ;) And I have no idea what OS You've got, but as far as I know it is possible to run ie6 on any system. I've seen a success story of setting it up on `wine`.
naugtur
And! You can use sites like http://browsershots.org It's a slow thing, but it's more comfortable than calling a friend and asking him to go to a given url and say what happens :P
naugtur
@naugtur: <del>No people to beat me? Damn.</del> I use Kubuntu, but it's probably terribly broken, configuration wise. I wouldn't sweat it, I'm sure it's just a quirk in this particular system, due to my utter inability to speak Linux. ;) And I know of browsershots - might have to look into that if all else fails, would be considerably tricky to set up a site right. Might as well just use my Windows machine on my own code when I'm home rather than at work, then, really. :)) But thank you!
pinkgothic
I give up waiting for an answer. There you go, naugtur. Thanks for your efforts.
pinkgothic
Thank You. I had a second of reading and I thought You could try checking if erturning a file extension helps. It was mentioned somewhere, but I don't understand MSDN sites much. Not that I don't know English, but I just don't know what they are trying to say sometimes :P
naugtur