IE and Content-disposition inline vs. extension-to

2019-05-06 17:30发布

问题:

Preamble

So IE does Mime-Type sniffing. That part's old news.

Suggestions of how to combat it tend to be along the lines of 'supply a content-type IE trusts' (i.e. anything that isn't text/plain or application/octet-stream) or 'add extraneous data at the start of the file that is definitely of the type you're serving'.

Now, I'm working on an application that has to allow message attachments (like in e-mails), occasionally to be displayed inline (again like in e-mails), and we want to close up XSS vectors. IE's mime sniffing (in unpatched IE6-, which I must support, e.g. IE6/Win2000) is one of those vectors - a text/plain file with html content will trigger as html. Recoding isn't an option at this point, changing the attachments the user has provided can only happen if there is absolutely no doubt about the maliciousness of the file - and someone might want to send HTML as text.

Now, Microsoft's MSDN article implies the situation might be easier to fix than advertised:

If Internet Explorer knows the Content-Type specified and there is no Content-Disposition data, Internet Explorer performs a "MIME sniff," [...]

Great!

Except I don't have IE nor current means to reliably install it (I realise this is a fairly sad state for a webdeveloper to be in, I hope to fix this soon) and this is grey theory that I can't quite seem to get confirmed one way or the other. Local sources say that line is hogwash - IE will mime sniff anything that is Content-Disposition: inline / <default> and not specific enough for its tastes in -Type.

But what about x-* ('extension-token' in the RFC)?

Trying to google for how browsers handle Content-Disposition: <extension-token> hasn't yielded anything (though I may just be doing it wrong, my understanding of Google is seriously slipping lately). I found one question that looked promising, but turned out to be a misunderstanding on side of the thread author, meaning that the train of thought was never actually addressed there.

Question(s)

Does IE really Mime sniff if you expressly pass Content-Disposition: inline?

If so: Does anyone here know how browsers handle Content-Disposition: <extension-token>?

If they do this in a way that is for my purposes benign, by presuming it to be synonymous with the default (effectively 'inline', though I hear it's not defined anywhere?), is it specific enough for IE not to Mime sniff? Or am I actually shooting myself in the foot by thinking of pursuing this avenue?

回答1:

Note:

"Note In Internet Explorer 6 for Windows XP Service Pack 2 (SP2), the MIME type "text/plain" is not ambiguous, and is never rendered as HTML in the restricted zone, even if the content suggests that this is the correct format."



回答2:

I remember returning text properly with some Content-disposition: attachment, but I'm not sure if it fits Your case.

But this will surely be helpful:

You don't need Windows (r) to install ie6. Try ies4linux



回答3:

I've found http://www.browserstack.com/ to be VERY useful. you can use any version of any browser on one of their servers through a flash-application.

it's a paid service, but you can test it for free for three months (sponsored by Microsoft, since they know you kneed tools like this to develop for Internet Explorer) by using a link found on modern.ie