Support Article
MIME sniffing has not been disabled for HTTP responses.
SA-34536
Summary
MIME sniffing has not been disabled for HTTP responses which is a possible security threat.
Error Messages
Not Applicable
Steps to Reproduce
Not Applicable
Root Cause
Each type of file delivered from a web server has an associated MIME type (also called a “content-type”) that describes the nature of the content such as image, text, application, and so on.
For compatibility reasons, Internet Explorer has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource.
In some cases, Internet Explorer reports a MIME type different than the type specified by the web server.
For example, if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, Internet Explorer determines that the content should be rendered as HTML. However, MIME-sniffing can also lead to security problems.
That is, Internet Explorer could misinterpret the content-type of a page and cause undesirable effects.
For instance, an attacker could upload a specially crafted file that contained script content, and then send a link to the file to unsuspecting victims.
When the victim visits the server using Internet Explorer, the malicious file would be misinterpreted as text/html and executed client-side.
This script could then steal the victim’s cookies, generate a phony page, and so on, ASVS 2016 Check: V11.6 (L1,2,3).
Resolution
Install HFix-26866 and update the value of below DSS Setting:
Owning RuleSet: Pega-RulesEngine
Setting Purpose: http/responseHeaders
Value: {"X-Content-Type-Options":"nosniff"}
Tags:
Published March 6, 2017 - Updated March 16, 2017
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.