lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: sec at base-industries.net (fukami)
Subject: Safari/WebCore Content Sniffing

Hi!

Not 100% sure if this is a topic for fd so far.
So, please, put your flamethrower aside if it's not.

A couple of days ago I recognized, that Safari (and
other apps using WebCore on MacOS X) do something known
as "content sniffing". That means, if Safari gets a file
with Content-Type "plain/text" it looks into it, and if
the file contains a single(!) HTML- or JavaScript tag,
Safari treats that file as HTML.

There seems to be no way of changing that stupid behavior
in Safari/WebCore, and I was a shocked when I read the
following comment regarding Safari RSS in the upcoming
Tiger release [1] (found in Mark Pilgrims weblog [3],
who seems also concerned):

     Also, there is a bit of code way down in WebCore
     that sniffs the incoming page and, when it detects
     the start of an XML document that contains RSS or
     Atom, it auto-corrects the MIME type to
     application/xml+rss or application/xml+atom.

The W3C page "Internet Media Type registration, consistency
of use" [2] reads:

     An example of incorrect and dangerous behavior is a
     user-agent that reads some part of the body of a
     response and decides to treat it as HTML based on its
     containing a <!DOCTYPE declaration or <title> tag, when
     it was served as text/plain or some other non-HTML type.

All other browser I tested so far have the right behavior
and treat plain text files as plain text files.


    fukami

[1] http://inessential.com/?comments=1&postid=2885
[2] http://www.w3.org/2001/tag/2002/0129-mime#consistency
[3] http://diveintomark.org/archives/2004/08/13/safari-content-sniffing

-- 
A Discordian Shall Always use the Official Discordian Document
Numbering System.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ