draft-ietf-websec-mime-sniff-00.txt   draft-ietf-websec-mime-sniff-01.txt 
None A. Barth None A. Barth
Internet-Draft I. Hickson Internet-Draft I. Hickson
Expires: July 2, 2011 Google, Inc. Expires: July 28, 2011 Google, Inc.
December 29, 2010 January 24, 2011
Media Type Sniffing Media Type Sniffing
draft-ietf-websec-mime-sniff-00 draft-ietf-websec-mime-sniff-01
Abstract Abstract
Many web servers supply incorrect Content-Type header fields with Many web servers supply incorrect Content-Type header fields with
their HTTP responses. In order to be compatible with these servers, their HTTP responses. In order to be compatible with these servers,
user agents consider the content of HTTP responses as well as the user agents consider the content of HTTP responses as well as the
Content-Type header fields when determining the effective media type Content-Type header fields when determining the effective media type
of the response. This document describes an algorithm for of the response. This document describes an algorithm for
determining the effective media type of HTTP responses that balances determining the effective media type of HTTP responses that balances
security and compatibility considerations. security and compatibility considerations.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 2, 2011. This Internet-Draft will expire on July 28, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Text or Binary . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Text or Binary . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Unknown Type . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Unknown Type . . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6. Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7. Feed or HTML . . . . . . . . . . . . . . . . . . . . . . . . . 16 7. Feed or HTML . . . . . . . . . . . . . . . . . . . . . . . . . 17
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
The HTTP Content-Type header field indicates the media type of an The HTTP Content-Type header field indicates the media type of an
HTTP response. However, many HTTP servers supply a Content-Type that HTTP response. However, many HTTP servers supply a Content-Type that
does not match the actual contents of the response. Historically, does not match the actual contents of the response. Historically,
web browsers have tolerated these servers by examining the content of web browsers have tolerated these servers by examining the content of
HTTP responses in addition to the Content-Type header field to HTTP responses in addition to the Content-Type header field to
determine the effective media type of the response. determine the effective media type of the response.
skipping to change at page 14, line 13 skipping to change at page 14, line 13
| FF FF FF FF FF FF | 89 50 4E 47 0D 0A | image/png | Safe | | FF FF FF FF FF FF | 89 50 4E 47 0D 0A | image/png | Safe |
| FF FF | 1A 0A | | | | FF FF | 1A 0A | | |
| Comment: The PNG signature. | | Comment: The PNG signature. |
+-------------------+-------------------+-----------------+------------+ +-------------------+-------------------+-----------------+------------+
| FF FF FF | FF D8 FF | image/jpeg | Safe | | FF FF FF | FF D8 FF | image/jpeg | Safe |
| Comment: A JPEG SOI marker followed by a octet of another marker. | | Comment: A JPEG SOI marker followed by a octet of another marker. |
+-------------------+-------------------+-----------------+------------+ +-------------------+-------------------+-----------------+------------+
| FF FF | 42 4D | image/bmp | Safe | | FF FF | 42 4D | image/bmp | Safe |
| Comment: The string "BM", a BMP signature. | | Comment: The string "BM", a BMP signature. |
+-------------------+-------------------+-----------------+------------+ +-------------------+-------------------+-----------------+------------+
| FF FF FF FF 00 00 | 52 49 46 46 00 00 | image/webp | Safe |
| 00 00 FF FF FF FF | 00 00 57 45 42 50 | | |
| FF FF | 56 50 | | |
| Comment: "RIFF" followed by four bytes, followed by "WEBPVP". |
+-------------------+-------------------+-----------------+------------+
| FF FF FF FF | 00 00 01 00 | image/vnd. | Safe | | FF FF FF FF | 00 00 01 00 | image/vnd. | Safe |
| | | microsoft.icon | | | | | microsoft.icon | |
| Comment: A Windows Icon signature. | | Comment: A Windows Icon signature. |
+-------------------+-------------------+-----------------+------------+ +-------------------+-------------------+-----------------+------------+
| FF FF FF FF FF | 4F 67 67 53 00 | application/ogg | Safe |
| Comment: An Ogg Vorbis audio or video signature. |
+-------------------+-------------------+-----------------+------------+
| FF FF FF FF 00 00 | 52 49 46 46 00 00 | audio/x-wave | Safe |
| 00 00 FF FF FF FF | 00 00 57 41 56 45 | | |
| Comment: "RIFF" followed by four bytes, followed by "WAVE". |
+-------------------+-------------------+-----------------+------------+
| FF FF FF FF | 1A 45 DF A3 | vidow/webm | Safe |
| Comment: The WebM signature [TODO: Use more octets?] |
+-------------------+-------------------+-----------------+------------+
| FF FF FF FF FF FF | 52 61 72 20 1A 07 | application/ | Safe | | FF FF FF FF FF FF | 52 61 72 20 1A 07 | application/ | Safe |
| FF | 00 | x-rar-compressed| | | FF | 00 | x-rar-compressed| |
| Comment: A RAR archive. | | Comment: A RAR archive. |
+-------------------+-------------------+-----------------+------------+ +-------------------+-------------------+-----------------+------------+
| FF FF FF FF | 50 4B 03 04 | application/zip | Safe | | FF FF FF FF | 50 4B 03 04 | application/zip | Safe |
| Comment: A ZIP archive. | | Comment: A ZIP archive. |
+-------------------+-------------------+-----------------+------------+ +-------------------+-------------------+-----------------+------------+
| FF FF FF | 1F 8B 08 | application/ | Safe | | FF FF FF | 1F 8B 08 | application/ | Safe |
| | | x-gzip | | | | | x-gzip | |
| Comment: A GZIP archive. | | Comment: A GZIP archive. |
+-------------------+-------------------+-----------------+------------+ +-------------------+-------------------+-----------------+------------+
[TODO: MP3 audio and H.264 video.]
User agents MAY support additional types if necessary, by implicitly User agents MAY support additional types if necessary, by implicitly
adding to the above table. However, user agents SHOULD NOT not use adding to the above table. However, user agents SHOULD NOT not use
any other patterns for types already mentioned in the table above any other patterns for types already mentioned in the table above
because this could then be used for privilege escalation (where, because this could then be used for privilege escalation (where,
e.g., a server uses the above table to determine that content is not e.g., a server uses the above table to determine that content is not
HTML and thus safe from cross-site scripting attacks, but then a user HTML and thus safe from cross-site scripting attacks, but then a user
agent detects it as HTML anyway and allows script to execute). In agent detects it as HTML anyway and allows script to execute). In
extending this table, user agents SHOULD NOT introduce any privilege extending this table, user agents SHOULD NOT introduce any privilege
escalation vulnerabilities. escalation vulnerabilities.
skipping to change at page 15, line 17 skipping to change at page 16, line 17
This section defines the *rules for sniffing images specifically*. This section defines the *rules for sniffing images specifically*.
If the official-type is "image/svg+xml", then let the sniffed-type be If the official-type is "image/svg+xml", then let the sniffed-type be
the official-type (an XML type) and abort these steps. the official-type (an XML type) and abort these steps.
If the first octets match one of the octet sequences in the first If the first octets match one of the octet sequences in the first
column of the following table, then let the sniffed-type be the type column of the following table, then let the sniffed-type be the type
given in the corresponding cell in the second column on the same row given in the corresponding cell in the second column on the same row
and abort these steps: and abort these steps:
+-------------------------+--------------------------+----------+ +-------------------------+--------------------------+-----------------+
| Bytes in Hexadecimal | Sniffed Type | Comment | | Bytes in Hexadecimal | Sniffed Type | Comment |
+-------------------------+--------------------------+----------+ +-------------------------+--------------------------+-----------------+
| 47 49 46 38 37 61 | image/gif | "GIF87a" | | 47 49 46 38 37 61 | image/gif | "GIF87a" |
| 47 49 46 38 39 61 | image/gif | "GIF89a" | | 47 49 46 38 39 61 | image/gif | "GIF89a" |
| 89 50 4E 47 0D 0A 1A 0A | image/png | | | 89 50 4E 47 0D 0A 1A 0A | image/png | |
| FF D8 FF | image/jpeg | | | FF D8 FF | image/jpeg | |
| 42 4D | image/bmp | "BM" | | 42 4D | image/bmp | "BM" |
| 00 00 01 00 | image/vnd.microsoft.icon | | | 00 00 01 00 | image/vnd.microsoft.icon | |
+-------------------------+--------------------------+----------+ | (see Section ??) | image/webp | "RIFF????WEBPVP |
+-------------------------+--------------------------+-----------------+
Otherwise, let the sniffed-type be the official-type and abort these Otherwise, let the sniffed-type be the official-type and abort these
steps. steps.
7. Feed or HTML 7. Feed or HTML
1. The user agent MAY wait for 512 or more octets to arrive for the 1. The user agent MAY wait for 512 or more octets to arrive for the
same reason as in the "text or binary" section above. same reason as in the "text or binary" section above.
2. Let s be the stream of octets, and let s[i] represent the octet 2. Let s be the stream of octets, and let s[i] represent the octet
 End of changes. 9 change blocks. 
19 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/