al_9x wrote:
Yes, I saw that, but I am looking for a detailed description of the attack scenario this protects against.
Trusted site allows public uploads of some kinds of files (usually text, images, PDF documents and so on), but not JS/CSS/HTML for obvious security reasons (some Google properties do, for instance).
An attacker manages to inject a short HTML fragment in another trusted site, like
Code: Select all
<script src="http://trusted_uploads.com/some_upload.txt"></script>
where some_upload.txt is a file he previously uploaded to the public, popular and trusted by many trusted_uploads.com web site.
The upload had been allowed by the site because it was of the "innocuous" txt type (and it's served with the proper text/plain content type, which makes everybody feel safe), but in reality it contains a malicious script which now is much more likely to run than if it was sourced by an obscure and temporary Chinese domain. The inclusionType checks will prevent it from running anyway.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3