Skip to content

Browser MIME sniffing #63

Description

@tuyenee

Inspired by Jan Rude and this Hackerone report, the question is how do browsers sniff content type.

Say a response when downloading a .tar.gz file contains Content-Type: application/octet-stream but with a HTML body like this:

<html><script>alert(0)</script></html>

Does the browser interpret this response as a file attachment or an HTML webpage? Certainly the X-Content-Type-Options is not set.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions