IE 和内容处置内联与扩展令牌
序言
因此 IE 执行 Mime 类型嗅探。那部分是旧闻了。
关于如何对抗它的建议往往是“提供 IE 信任的内容类型”(即不是文本/纯文本或应用程序/八位字节流的任何内容)或“在文件开头添加无关数据”这绝对是您所服务的类型”。
现在,我正在开发一个应用程序,该应用程序必须允许消息附件(例如在电子邮件中),偶尔要内联显示(再次像在电子邮件中),并且我们想要关闭XSS 向量。 IE 的 mime 嗅探(在未修补的 IE6 中,我必须支持,例如 IE6/Win2000)就是这些向量之一 - 包含 html 内容的 text/plain 文件将触发为 html。此时无法选择重新编码,只有在完全确定文件的恶意性并且有人可能希望将 HTML 作为文本发送时,才能更改用户提供的附件。
现在,Microsoft 的 MSDN 文章 暗示情况可能比广告上说的更容易修复:
如果 Internet Explorer 知道 已指定 Content-Type,但没有 内容处置数据,互联网 资源管理器执行“MIME 嗅探”,[...]
太棒了!
除非我没有 IE,也没有当前可靠安装它的方法(我意识到这对于网络开发人员来说是一个相当悲伤的状态,我希望尽快解决这个问题),这是灰色理论,我似乎不太明白以某种方式得到确认。当地消息人士称,该行是胡言乱语 - IE 会模仿嗅探任何 Content-Disposition: inline /
但是 x-* (RFC 中的“扩展令牌”)又如何呢?
尝试用谷歌搜索浏览器如何处理 Content-Disposition:
问题
如果您明确传递 Content-Disposition: inline,IE 真的会嗅探 Mime 吗?
如果是这样:这里有人知道浏览器如何处理 Content-Disposition:
如果他们以一种对我来说是良性的方式做到这一点,假设它与默认值同义(实际上是“内联”,尽管我听说它没有在任何地方定义?),它对于 IE 来说是否足够具体 not< /em> 去模仿 Mime 嗅探?或者我真的是在搬起石头砸自己的脚,因为我想追求这条道路?
Preamble
So IE does Mime-Type sniffing. That part's old news.
Suggestions of how to combat it tend to be along the lines of 'supply a content-type IE trusts' (i.e. anything that isn't text/plain or application/octet-stream) or 'add extraneous data at the start of the file that is definitely of the type you're serving'.
Now, I'm working on an application that has to allow message attachments (like in e-mails), occasionally to be displayed inline (again like in e-mails), and we want to close up XSS vectors. IE's mime sniffing (in unpatched IE6-, which I must support, e.g. IE6/Win2000) is one of those vectors - a text/plain file with html content will trigger as html. Recoding isn't an option at this point, changing the attachments the user has provided can only happen if there is absolutely no doubt about the maliciousness of the file - and someone might want to send HTML as text.
Now, Microsoft's MSDN article implies the situation might be easier to fix than advertised:
If Internet Explorer knows the
Content-Type specified and there is no
Content-Disposition data, Internet
Explorer performs a "MIME sniff," [...]
Great!
Except I don't have IE nor current means to reliably install it (I realise this is a fairly sad state for a webdeveloper to be in, I hope to fix this soon) and this is grey theory that I can't quite seem to get confirmed one way or the other. Local sources say that line is hogwash - IE will mime sniff anything that is Content-Disposition: inline / <default> and not specific enough for its tastes in -Type.
But what about x-* ('extension-token' in the RFC)?
Trying to google for how browsers handle Content-Disposition: <extension-token> hasn't yielded anything (though I may just be doing it wrong, my understanding of Google is seriously slipping lately). I found one question that looked promising, but turned out to be a misunderstanding on side of the thread author, meaning that the train of thought was never actually addressed there.
Question(s)
Does IE really Mime sniff if you expressly pass Content-Disposition: inline?
If so: Does anyone here know how browsers handle Content-Disposition: <extension-token>?
If they do this in a way that is for my purposes benign, by presuming it to be synonymous with the default (effectively 'inline', though I hear it's not defined anywhere?), is it specific enough for IE not to Mime sniff? Or am I actually shooting myself in the foot by thinking of pursuing this avenue?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我记得使用一些
Content-disposition: Attachment正确返回文本,但我不确定它是否适合您的情况。但这肯定会有所帮助:
您不需要 Windows (r) 来安装 ie6。尝试 ies4linux
I remember returning text properly with some
Content-disposition: attachment, but I'm not sure if it fits Your case.But this will surely be helpful:
You don't need Windows (r) to install ie6. Try ies4linux
我发现 http://www.browserstack.com/ 非常有用。
您可以通过 Flash 应用程序在其服务器之一上使用任何版本的任何浏览器。
它是一项付费服务,但您可以使用在 Modern.ie 上找到的链接免费测试三个月(由 Microsoft 赞助,因为他们知道您使用这样的工具来为 Internet Explorer 进行开发)
I've found http://www.browserstack.com/ to be VERY useful.
you can use any version of any browser on one of their servers through a flash-application.
it's a paid service, but you can test it for free for three months (sponsored by Microsoft, since they know you kneed tools like this to develop for Internet Explorer) by using a link found on modern.ie
注意:
“注意在适用于 Windows XP Service Pack 2 (SP2) 的 Internet Explorer 6 中,MIME 类型“text/plain”是明确的,并且永远不会在受限区域中呈现为 HTML,即使内容表明这是正确的格式。”
Note:
"Note In Internet Explorer 6 for Windows XP Service Pack 2 (SP2), the MIME type "text/plain" is not ambiguous, and is never rendered as HTML in the restricted zone, even if the content suggests that this is the correct format."