kvmcruise.blogg.se - Html mime types

"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in thisĭocument are to be interpreted as described in RFC 2119.įor readability, these keywords will generally not appear in all uppercase The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", Metrics collected from implementations deployed to a sizable number of users. Popular user agents, an extensive database of existing web content, and The algorithm originated from research conducted by Adam Barth, JuanĬaballero, and Dawn Song, based on content sniffing algorithms present in The compatibility needs of user agent with the security constraints imposed

This document describes a content sniffing algorithm that carefully balances (Malicious servers, of course, can specify an arbitrary MIME type in the Content-Type header field.) Therein), an attacker might be able to steal the user’s authenticationĬredentials and mount other cross-site scripting attacks. Potentially malicious users to upload their own files and then serves theĬontents of those files with a low-privilege MIME type.įor example, if a server believes that the client will treat a contributedįile as an image (and thus treat it as benign), but a user agent believes theĬontent to be HTML (and thus privileged to execute any scripts contained These security issues are most severe when an "honest" server allows User agent could interpret an HTTP response as a different MIME type than In some cases, these divergent behaviors have had security implications, as a Inevitably, these efforts have not been entirely successful, resulting in Without a clear specification for how to "sniff" the MIME type, each userĪgent has been forced to reverse-engineer the algorithms of other user agents Historically, web browsers have tolerated these servers by examining theĬontent of HTTP responses in addition to the Content-Type headerįield in order to determine the effective MIME type of the response. Value that does not match the actual contents of the response. However, many HTTP servers supply a Content-Type header field The HTTP Content-Type header field is intended to indicate the

8.9 Sniffing in a cache manifest context.

8.3 Sniffing in an audio or video context.

7.2 Sniffing a mislabeled binary resource.

7.1 Identifying a resource with an unknown MIME type.

7 Determining the computed MIME type of a resource.

6.2 Matching an audio or video type pattern.

The MIME Sniffing standard defines sniffing resources.