net/http:DetectContentType函数支持JavaScript吗?

huangapple go评论85阅读模式
英文:

net/http: Does DetectContentType support JavaScript?

问题

DetectContentType方法是用于检测给定数据的内容类型的函数。它通过检查数据的前512个字节来确定内容类型。该函数在Go语言的net/http包中实现。

关于DetectContentType方法是否支持JavaScript,我无法直接回答。根据给出的链接,我们可以查看sniff.go文件的第21行来了解更多信息。

英文:

DetectContentType, JavaScript support ?

https://github.com/golang/go/blob/c3931ab1b7bceddc56479d7ddbd7517d244bfe17/src/net/http/sniff.go#L21

Is there a genuine reason behind the http Method DetectContentType to not support JavaScript ?

答案1

得分: 5

根据文档注释,DetectContentType 实现了 https://mimesniff.spec.whatwg.org/ 中描述的算法,该算法无法检测 JavaScript。那么问题就是:为什么无法检测 JavaScript?

答案在规范的介绍中给出:

当一个“诚实”的服务器允许潜在的恶意用户上传自己的文件,并使用低权限的 MIME 类型提供这些文件的内容时,这些安全问题最为严重。例如,如果服务器认为客户端将把贡献的文件视为图像(从而将其视为良性),但用户代理认为内容是 HTML(从而具有执行其中任何脚本的特权),攻击者可能能够窃取用户的身份验证凭据并发起其他跨站脚本攻击。(恶意服务器当然可以在 Content-Type 头字段中指定任意 MIME 类型。)

本文档描述了一种内容嗅探算法,它在满足用户代理的兼容性需求的同时,平衡了现有 Web 内容所施加的安全约束。

将不可信的输入标记为 JavaScript,即使它不是(甚至当它是!),也可能导致安全灾难。

英文:

As the doc comment notes, DetectContentType implements the algorithm described at https://mimesniff.spec.whatwg.org/, which does not detect JavaScript. The question then becomes: why doesn't it?

The answer is given in the introduction of the spec:

> These security issues are most severe when an "honest" server allows potentially malicious users to upload their own files and then serves the contents of those files with a low-privilege MIME type. For example, if a server believes that the client will treat a contributed file as an image (and thus treat it as benign), but a user agent believes the content to be HTML (and thus privileged to execute any scripts contained therein), an attacker might be able to steal the user’s authentication credentials and mount other cross-site scripting attacks. (Malicious servers, of course, can specify an arbitrary MIME type in the Content-Type header field.)
>
> This document describes a content sniffing algorithm that carefully balances the compatibility needs of user agent with the security constraints imposed by existing web content.

Labelling untrusted input as JavaScript when it's not (or even when it is!) could lead to security disasters.

huangapple
  • 本文由 发表于 2022年1月13日 18:42:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/70695214.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定