Issue 847720 link

Starred by 2 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	May 2018
Cc:	elawrence@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Chrome mime-sniffs HTML when no Content-Type is specified

Reported by figs...@gmail.com, May 30 2018

Issue description

If it is not a common suffix, the xss vulnerability is raised
如果不是常见后缀名，将做内容嗅探，引发XSS漏洞

payload
------------------------------
<html> 
  <script> 
  alert('xss-test'); 
  </script> 
</html>
------------------------------

see Attachment,Vulnerability certification
看附件，有漏洞证明

	xss.png 47.4 KB View Download

	xss2.png 39.7 KB View Download

Comment 1 by elawrence@chromium.org, May 30 2018

Labels: Needs-Feedback

I believe this is working as intended. MIME Sniffing from certain types is expected. 

The relevant factor that determines whether Chrome renders a response as HTML, in the case of a response served over HTTP, is the value of the Content-Type header. What is the value of that header in your repro case? (See the Network tab of the Chrome Developer Tools). 

( Issue 777737  concerns sniffing in responses served from the file:// protocol).

Comment 2 by figs...@gmail.com, May 30 2018

see Attachment,no Content-Type

you can try

	fsd.png 85.7 KB View Download

Project Member

Comment 3 by sheriffbot@chromium.org, May 30 2018

Cc: elawrence@chromium.org
Labels: -Needs-Feedback

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by elawrence@chromium.org, May 30 2018

Status: WontFix (was: Unconfirmed)
Summary: Security: Chrome mime-sniffs HTML when no Content-Type is specified (was: Security: Google Chrome XSS)

Yes, it's working as designed that Chrome sniffs HTML in a response served over HTTP lacking a Content-Type. To prevent sniffing, the |X-Content-Type-Options: nosniff| response header may be sent.

Comment 5 by figs...@gmail.com, May 31 2018

SO,you kown.
This is a Chrome security issue.
I think what you should do，Ensure user safety

^^

Project Member

Comment 6 by sheriffbot@chromium.org, Sep 5

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 847720 link

Issue metadata

Security: Chrome mime-sniffs HTML when no Content-Type is specified

Issue description

Comment 1 by elawrence@chromium.org, May 30 2018

Comment 1 Deleted

Comment 2 by figs...@gmail.com, May 30 2018

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, May 30 2018

Comment 3 Deleted

Comment 4 by elawrence@chromium.org, May 30 2018

Comment 4 Deleted

Comment 5 by figs...@gmail.com, May 31 2018

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Sep 5

Comment 6 Deleted

Sign in to add a comment