Each type of file delivered from a web server has an associated MIME type (also called a “content-type”) that describes the nature of the content (e.g. image, text, application, etc). Back in Internet Explorer 8, we made a few changes to IE’s MIME-sniffing feature that attempts to determine the actual content-type for each downloaded resource. In this post, I discuss how recent changes to IE further improve MIME-handling and make browsing more secure.
Certain HTML elements (LINK and SCRIPT in particular) historically have not attempted to validate the MIME-type supplied by the server. For instance, all browsers will run script even if the SCRIPT’s SRC attribute points at a file declaring that it is text/plain. This can lead to a variety of security vulnerabilities, particularly for LINK elements. There is a rich object model for interacting with stylesheets, and this object model can be abused if the “stylesheet” contains other content.
In an attack scenario, a malicious site could include a LINK reference pointing at another site’s HTML content. If that HTML content contained certain common characters, its content could be read by script in the attacker’s page. This information disclosure could lead to cross-site request forgery and other attacks against web applications. You can learn more about this threat in a paper from Carnegie-Mellon University.
In the October Cumulative update, a change was made to CSS handling in IE6, IE7, and IE8 to block all cross-origin stylesheets unless they have been delivered with the proper HTTP response header:
Content-Type: text/css
This protection helps ensure that LINK and @IMPORT cannot be used as a vector to steal content from another site.
Internet Explorer 9 Beta already included this protection. Additionally, the F12 Developer Tools’ Console included in IE9 shows the following warning message when a cross-origin stylesheet with an incorrect MIME-type is encountered:
Further IE9 Improvements
Beyond the cross-origin stylesheet validation introduced for all versions, Internet Explorer 9 Beta includes some other important changes to MIME-handling behavior to improve security and standards-compliance. These changes could cause problems when displaying content if the Content-Type information is missing or incorrect. The three MIME-handling changes introduced by IE9 are:
- In IE9 Standards Mode, even same-origin stylesheets will be ignored unless they are delivered with a text/css MIME type.
- SCRIPT elements will reject responses with incorrect MIME types if the server specifies X-Content-Type-Options: nosniff.
- Documents delivered with a text/plain MIME type will not be MIME-sniffed to another type.
Change #1 is a requirement of the CSS specification and applies MIME-type validation to same-origin stylesheets when if document is running in IE9 Standards Mode. A concise test case displays red text if a browser applies styles from a stylesheet with an incorrect MIME-type; it renders the text in green if the invalid stylesheet is correctly ignored.
Change #2 impacts the browser’s behavior when the server sends the X-Content-Type-Options: nosniff header on its responses. If the nosniff directive is received on a response retrieved by a SCRIPT reference, IE will not load the “script” file if the MIME type does not match one of the following values ["text/javascript", "application/javascript", "text/ecmascript", "application/ecmascript", "text/x-javascript", "application/x-javascript", "text/jscript", "text/vbscript", "text/vbs"]. When such content is blocked, the F12 developer tools show the following message:
This new protection recently impacted a major site which was delivering JSONP responses with a nosniff header but without a proper JavaScript MIME-type. The site owners have since corrected the misconfiguration.
Change #3 is perhaps the most welcome for many web developers. If IE9 encounters a HTML document delivered with a text/plain content-type, the document will be rendered as plain text unless the site is rendering in Compatibility View. This is useful for web developer scenarios because it allows easier sharing of HTML source code snippets. It’s also a welcome change from a security point-of-view, because IE9 will be less susceptible to script injection attacks in files delivered with a text/plain Content Type.
If you find any sites which are sending improper MIME types and behave incorrectly in Internet Explorer, please file a bug on Connect!
Thanks,
Eric Lawrence
Program Manager