Inspired by Jan Rude and this Hackerone report, the question is how do browsers sniff content type.
Say a response when downloading a .tar.gz file contains Content-Type: application/octet-stream but with a HTML body like this:
<html><script>alert(0)</script></html>
Does the browser interpret this response as a file attachment or an HTML webpage? Certainly the X-Content-Type-Options is not set.
Inspired by Jan Rude and this Hackerone report, the question is how do browsers sniff content type.
Say a response when downloading a
.tar.gzfile containsContent-Type: application/octet-streambut with a HTML body like this:Does the browser interpret this response as a file attachment or an HTML webpage? Certainly the
X-Content-Type-Optionsis not set.