MIME sniffing has not been disabled for HTTP responses.
SummaryMIME sniffing has not been disabled for HTTP responses which is a possible security threat.
Error MessagesNot Applicable
Steps to ReproduceNot Applicable
Root CauseEach type of file delivered from a web server has an associated MIME type (also called a “content-type”) that describes the nature of the content such as image, text, application, and so on.
For compatibility reasons, Internet Explorer has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource.
In some cases, Internet Explorer reports a MIME type different than the type specified by the web server.
For example, if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, Internet Explorer determines that the content should be rendered as HTML. However, MIME-sniffing can also lead to security problems.
That is, Internet Explorer could misinterpret the content-type of a page and cause undesirable effects.
For instance, an attacker could upload a specially crafted file that contained script content, and then send a link to the file to unsuspecting victims.
When the victim visits the server using Internet Explorer, the malicious file would be misinterpreted as text/html and executed client-side.
This script could then steal the victim’s cookies, generate a phony page, and so on, ASVS 2016 Check: V11.6 (L1,2,3).
ResolutionInstall HFix-26866 and update the value of below DSS Setting:Owning RuleSet: Pega-RulesEngine
Setting Purpose: http/responseHeaders
Published March 6, 2017 - Updated March 16, 2017