MIME types and plugins

General discussion about the NoScript extension for Firefox
Post Reply
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

MIME types and plugins

Post by dhouwn »

I was experimenting around with a test page where flash content is offered with an invalid MIME type and came across an interesting behaviour in regards with MIME types and plugin blocking, including but not limited to the "forbid other plugins" option, compare especially the 1st and the 2nd picture:

Image Image Image
(don't ask me why in the last image the message suddenly wanted to hide behind the main window, Firefox bug?)

As you can see, the behaviour of "block other plugins" could be more precisely described as "forbid what might be possibly other plugins".
So that the flash content is blocked in the 3rd picture is really not a bug if you think about it since NoScript wants to block a plugin as soon as possible and at that moment does not know what type of plugin content it really is and just relies what the server told it to be and blocking in case of doubt is what you would expect from a security tool.

However in the first image, it displays as what plugin type it would run if enabled since at this point the browser told it already that it's going to be run as flash, right?
That makes having "forbid other plugins" set seem to have kind of a drawback in certain cases: Let's say a user knowingly has an outdated Java version (e.g. because of dumb intranet app), so he/she is aware of this and sees NoScript as a tool that enables him/her to run the app that needs the problematic Java version while at the same time being able to calmly surf the web in the belief that he/she is in full control where Java can run and therefore can't be exploited. But now with "forbid other plugins" set, this belief would be less justified since a fake MIME type might fool him/her into still running Java from less trusted sources (let's also say the fake MIME type would not be apparently fake but similar to a possibly more "trustworthy" plugin, who would notice the icon?).

A possible countermeasure might be to display an alert with the "real" MIME type, i.e. the one the plugin will run as, in any case (even when the message is disabled or the plugin got enabled through the menu). But then this might be considered such an edge-case it that doing something about this might not worth it, what do you think?

Anyway, this thread was more meant to be about documenting and sharing some interesting NoScript behaviour rather than being a bug report (therefore opened in "General" sub-forum).
Last edited by dhouwn on Fri Jun 08, 2012 9:07 pm, edited 4 times in total.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0
Top
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:
Contact Thrawn

Re: MIME type and plugins

Post by Thrawn »

Interesting observation about MIME types. It seems to me, though, that this is effectively a form of phishing attack, targeted to NoScript users. And even a regular phishing attack could work against NoScript users (unless they're savvy enough to stop & wonder why their 'bank' is no longer whitelisted).

Since NoScript will block downloads of objects until they are allowed, at what point would you suggest showing the real detected MIME type? Should the dialog to temporarily allow them have another option, to download & verify MIME type, then ask again?

Eta Oops, my dodgy mobile Firefox nightly chopped off the part of your screenshots that included NoScript config. My guess is that in the second scenario, with other plugins allowed, NS received a different MIME type, downloaded it (because it looked ok), but then was a good little paranoid security addon :) and checked the actual file -> Flash -> blocked. So, the only way to display the proper MIME type is to download it. Which is undesirable by default. A very interesting pickup, dhouwn.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Android; Mobile; rv:15.0) Gecko/15.0 Firefox/15.0a1
Top
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: MIME type and plugins

Post by dhouwn »

Thrawn wrote:Since NoScript will block downloads of objects until they are allowed, at what point would you suggest showing the real detected MIME type?
After it gets detected as such. So the user would as if allow a plugin that is not Flash, Java or Silverlight according to the server-sent MIME type at first (e.g. through the menu or by clicking the place-holder and confirming the dialog if it's enabled) but should it turn out that it is indeed one of those plugins where there is an extra checkbox for and that particular checkbox is checked then a dialog would pop up, informing the user about what plugin it really is and asking him/her explicitly (no matter whether the other dialog is disabled or not) whether he really wants to run it.
The cases where plugins are sent with the wrong mime type (for non-nefarious usage) should be pretty rare (I hope so at least), as not cause this feature to be too much of an annoyance.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0
Top
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:
Contact Thrawn

Re: MIME types and plugins

Post by Thrawn »

More generally, perhaps NS could alert the user *any* time that the detected mime type doesn't match what the server claimed?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Android; Mobile; rv:15.0) Gecko/15.0 Firefox/15.0a1
Top
Post Reply

Return to “NoScript General”