Running Scripts sent as text/plain

[dhouwn]

While browsers won't apply stylesheets sent as text/plain (except in quirks mode) they will run scripts sent with this MIME type, would many sites break if they wouldn't?

How about adding the prevention of executing external scripts delivered with the wrong MIME type as an experimental feature to NoScript?

[Giorgio Maone]

http://noscript.net/changelog#1.9.6.5

[therube]

Happened to have Error Console opened & it mentioned:

Code: Select all

Error: The stylesheet http://ibid4216487243.plumd.dnsstuff.com/style.css was not loaded because its MIME type, "text/html", is not "text/css".
Source File: http://www.dnsstuff.com/tools/whois/?ip=
Line: 0

So suppose something like what you suggest is not unheard of.

[therube]

Guess it works then .

[dhouwn]

Hm… interesting, I had something like this in memory, but then this test passed with no mention in the error console.

So suppose something like what you suggest is not unheard of.

That's a stylesheet…

[Giorgio Maone]

Hm… interesting, I had something like this in memory, but then this test passed with no mention in the error console.

Because of the overwhelming false positives which have been found during early test of this feature, NoScript's inclusion type checking has been carefully tuned to cover a limited but very important scenario: the case of a whitelisted CMS-like site which allows uploading of "safe" file types (e.g. zip archives or text documents). This can be exploited, for instance, by an attacker which manages to compromise another whitelisted site injecting a script or stylesheet inclusion which references a "fake" zip from the CMS actually being a Javascript payload, and gets executed because the hosting site is whitelisted.

Therefore the checks are performed only for cross-site inclusion where origin's base domain differs from requested file's, and by default server-side scripts (e.g. ASP or PHP URls) are not checked.

You can see this in action here.