New issue
Advanced search Search tips

Issue 822788 link

Starred by 0 users
Status: WontFix
Owner: ----
Closed: Mar 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

JPEG image from a 304 response is displayed as binary data, not rendered

Reported by 13hu...@gmail.com, Mar 16 2018 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/64.0.3282.167 Chrome/64.0.3282.167 Safari/537.36

Example URL:
https://grooming.wahl.com/sites/default/files/products/631_1

Steps to reproduce the problem:
1. Visit URL of an image that has a 304 response status 
https://grooming.wahl.com/sites/default/files/products/631_1

What is the expected behavior?
Renders the image

What went wrong?
Displays the raw binary data of the image without rendering it.

Did this work before? N/A 

Chrome version: 64.0.3282.167  Channel: stable
OS Version: 
Flash Version: 

Firefox displays the image correctly.
304_jpeg.png
258 KB View Download

Comment 1 by woxxom@gmail.com, Mar 16 2018 

The server doesn't set Content-Type header in the response.
The specification https://tools.ietf.org/html/rfc7231#section-3.1.1.5 says:

   If a Content-Type header field is not present, the recipient
   MAY either assume a media type of "application/octet-stream"
   ([RFC2046], Section 4.5.1) or examine the data to determine its type.

   In practice, resource owners do not always properly configure their
   origin server to provide the correct Content-Type for a given
   representation, with the result that some clients will examine a
   payload's content and override the specified type.  Clients that do
   so risk drawing incorrect conclusions, which might expose additional
   security risks (e.g., "privilege escalation").  Furthermore, it is
   impossible to determine the sender's intent by examining the data
   format: many data formats match multiple media types that differ only
   in processing semantics.  Implementers are encouraged to provide a
   means of disabling such "content sniffing" when it is used.

So the specification doesn't require guessing.
On the contrary, it warns against it due to possible security risks.
Chrome Chrome follows the safe route and assumes "application/octet-stream" as per the recommendation in the spec.
Firefox (and maybe other browsers) take the risks.

Comment 2 by mef@chromium.org, Mar 16 2018

Status: WontFix (was: Unconfirmed)
Exactly, this is working as intended.

For https://grooming.wahl.com/sites/default/files/products/631_1 


t=5760 [st=127]        HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                       --> HTTP/1.1 200 OK
                           Date: Fri, 16 Mar 2018 17:44:28 GMT
                           Server: Apache/2.4.18 (Ubuntu)
                           X-Content-Type-Options: nosniff
                           Last-Modified: Mon, 07 Dec 2015 18:56:12 GMT
                           ETag: "14394-5265369305b6e"
                           Accept-Ranges: bytes
                           Content-Length: 82836
                           Cache-Control: max-age=1209600
                           Expires: Fri, 30 Mar 2018 17:44:28 GMT
                           Keep-Alive: timeout=2, max=100
                           Connection: Keep-Alive

Comment 3 by 13hu...@gmail.com, Mar 16 2018 

Makes sense, thanks for looking into it.

Sign in to add a comment