IE和Content-disposition内联与扩展令牌 [英] IE and Content-disposition inline vs. extension-token
问题描述
序言
因此IE会 MIME类型嗅探.那部分是旧消息.
关于如何解决它的建议往往遵循提供内容类型的IE信任"(即不是文本/纯文本或应用程序/八位字节流的任何内容)或在开始时添加无关数据"的建议绝对是您要提供的文件类型."
现在,我正在开发一个应用程序,该应用程序必须允许消息附件(例如在电子邮件中),偶尔以内联方式显示(同样在电子邮件中),我们想要关闭XSS向量. IE的mime嗅探(在我必须支持的未修补IE6-中,例如IE6/Win2000)就是这些载体之一-具有html内容的text/plain文件将作为html触发.目前还不能选择重新编码,只有在绝对不怀疑文件的恶意性,并且有人可能希望将HTML作为文本发送的情况下,才可以更改用户提供的附件.
现在, Microsoft的MSDN文章暗示这种情况可能比广告更容易解决:
如果Internet Explorer知道 已指定内容类型,并且没有 内容配置数据,Internet 资源管理器执行"MIME嗅探",[...]
太好了!
除非我没有IE,也没有最新的方法来可靠地安装它(我意识到这对Web开发人员来说是一个非常可悲的状态,我希望尽快解决此问题),这是我无法采用的灰色理论似乎已经被一种或另一种方式证实了.当地消息人士说,这行是大话,IE会模仿 Content-Disposition:inline/<default> 且对 -Type 不够具体的内容进行嗅探. /p>
但是x- *( RFC中的扩展令牌" )?
尝试向Google查询浏览器如何处理 Content-Disposition:<extension-token> 并没有产生任何效果(尽管我可能做错了,但是我最近对Google的理解正在严重下滑).我发现一个问题看起来很有希望,但事实证明这是线程作者的一种误解,这意味着那里从来没有真正解决过思路.
问题
如果您明确通过 Content-Disposition:inline ,,IE真的会发出Mime的嗅觉吗?
如果是:这里是否有人知道浏览器如何处理内容处置:<extension-token> ?
如果他们这样做对我而言是良性的,则假定它与默认值同义(实际上是内联",尽管我听说它在任何地方都没有定义?),它是否对IE
注意:
"注意:在Windows XP Service Pack 2(SP2)的Internet Explorer 6中,MIME类型"text/plain"不是模棱两可的,即使内容表明这是限制,也永远不会将其呈现为HTML.正确的格式."
Preamble
So IE does Mime-Type sniffing. That part's old news.
Suggestions of how to combat it tend to be along the lines of 'supply a content-type IE trusts' (i.e. anything that isn't text/plain or application/octet-stream) or 'add extraneous data at the start of the file that is definitely of the type you're serving'.
Now, I'm working on an application that has to allow message attachments (like in e-mails), occasionally to be displayed inline (again like in e-mails), and we want to close up XSS vectors. IE's mime sniffing (in unpatched IE6-, which I must support, e.g. IE6/Win2000) is one of those vectors - a text/plain file with html content will trigger as html. Recoding isn't an option at this point, changing the attachments the user has provided can only happen if there is absolutely no doubt about the maliciousness of the file - and someone might want to send HTML as text.
Now, Microsoft's MSDN article implies the situation might be easier to fix than advertised:
If Internet Explorer knows the Content-Type specified and there is no Content-Disposition data, Internet Explorer performs a "MIME sniff," [...]
Great!
Except I don't have IE nor current means to reliably install it (I realise this is a fairly sad state for a webdeveloper to be in, I hope to fix this soon) and this is grey theory that I can't quite seem to get confirmed one way or the other. Local sources say that line is hogwash - IE will mime sniff anything that is Content-Disposition: inline / <default> and not specific enough for its tastes in -Type.
But what about x-* ('extension-token' in the RFC)?
Trying to google for how browsers handle Content-Disposition: <extension-token> hasn't yielded anything (though I may just be doing it wrong, my understanding of Google is seriously slipping lately). I found one question that looked promising, but turned out to be a misunderstanding on side of the thread author, meaning that the train of thought was never actually addressed there.
Question(s)
Does IE really Mime sniff if you expressly pass Content-Disposition: inline?
If so: Does anyone here know how browsers handle Content-Disposition: <extension-token>?
If they do this in a way that is for my purposes benign, by presuming it to be synonymous with the default (effectively 'inline', though I hear it's not defined anywhere?), is it specific enough for IE not to Mime sniff? Or am I actually shooting myself in the foot by thinking of pursuing this avenue?
Note:
"Note In Internet Explorer 6 for Windows XP Service Pack 2 (SP2), the MIME type "text/plain" is not ambiguous, and is never rendered as HTML in the restricted zone, even if the content suggests that this is the correct format."
这篇关于IE和Content-disposition内联与扩展令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
