{"id":2573,"date":"2020-04-07T02:21:19","date_gmt":"2020-04-07T09:21:19","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2573"},"modified":"2020-04-07T02:21:19","modified_gmt":"2020-04-07T09:21:19","slug":"firefox-75-will-respect-nosniff-for-page-loads","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/","title":{"rendered":"Firefox 75 will respect &#8216;nosniff&#8217; for Page Loads"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Prior to being able to display a web page within a browser the rendering engine checks and verifies the MIME type of the document being loaded. In case of an html page, for example, the rendering engine expects a MIME type of &#8216;text\/html&#8217;. Unfortunately, time and time again, misconfigured web servers\u00a0 incorrectly use a MIME type which does not match the actual type of the resource. If strictly enforced, this mismatch in types would downgrade a users experience. More precisely, the rendering engine within a browser will try to interpret the resource based on the ruleset for the provided MIME type and at some point simply would have to give up trying to display the resource. To compensate, Firefox implements a MIME type sniffing algorithm &#8211; amongst other techniques Firefox inspects the initial bytes of a file and searches for &#8216;Magic-Numbers&#8217; which allows it to determine the MIME type of a file independently of the one set by the server.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Whilst sniffing of the MIME type of a document improves the browsing experience for the majority of users, it also enables so-called MIME confusion attacks. In more detail, imagine an application which allows hosting of\u00a0 images. Let&#8217;s further assume the application allows users to upload &#8216;.jpg&#8217; files but fails to correctly verify that users of that application actually upload only valid .jpg files. An attacker could craft an &#8216;evil.jpg&#8217; file containing valid html and upload that through the application. The innocent victim of that application solely expects images to be displayed. Within the browser, however, the MIME sniffer steps in and determines that the file contains valid html and overrides the MIME type to load the file like any other page within the application. Additionally, embedded JavaScript fragments within that page will be treated as same-origin and hence be granted the same permissions as the host application. In turn, the granted permissions allow the attacker to gain access to confidential user information.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To mitigate such MIME confusion attacks Firefox expands support of the header &#8216;X-Content-Type-Options: nosniff&#8217; to page loads (<\/span><a href=\"https:\/\/fetch.spec.whatwg.org\/#x-content-type-options-header\"><span style=\"font-weight: 400;\">view specification<\/span><\/a><span style=\"font-weight: 400;\">). Firefox has been supporting &#8216;XCTO: nosniff&#8217; for JavaScript and CSS resources since <\/span><a href=\"https:\/\/blog.mozilla.org\/security\/2016\/08\/26\/mitigating-mime-confusion-attacks-in-firefox\/\"><span style=\"font-weight: 400;\">Firefox 50<\/span><\/a><span style=\"font-weight: 400;\"> and starting with Firefox 75<\/span> <span style=\"font-weight: 400;\">will use the provided MIME type for page loads even if incorrect.<\/span><\/p>\n<div id=\"attachment_2575\" style=\"width: 1323px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png\"><img aria-describedby=\"caption-attachment-2575\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-2575 size-full\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png\" alt=\"\" width=\"1313\" height=\"673\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png 1313w, https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1-252x129.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1-600x308.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1-768x394.png 768w\" sizes=\"(max-width: 1313px) 100vw, 1313px\" \/><\/a><p id=\"caption-attachment-2575\" class=\"wp-caption-text\"><b>Left:<\/b> Firefox 74 ignoring XCTO, sniffing HTML, and executing script. <br \/><b>Right:<\/b> Firefox 75 respecting XCTO, and defaulting to plaintext.<\/p><\/div>\n<p><span style=\"font-weight: 400;\">If the provided MIME type does not match the content, Firefox will not sniff the MIME type but will show an error to the user instead. As illustrated above, if no MIME type was provided at all, Firefox will try to use plaintext or prompt a download . Showing the user an error in the case of a detected MIME type mismatch instead of trying to sniff and render a potentially malicious page allows Firefox to mitigate such MIME confusion attacks.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Prior to being able to display a web page within a browser the rendering engine checks and verifies the MIME type of the document being loaded. In case of an &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/\">Read more<\/a><\/p>\n","protected":false},"author":1698,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[447605,280776],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Firefox 75 will respect &#039;nosniff&#039; for Page Loads - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sebastian Streich, Christoph Kerschbaumer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/\",\"name\":\"Firefox 75 will respect 'nosniff' for Page Loads - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png\",\"datePublished\":\"2020-04-07T09:21:19+00:00\",\"dateModified\":\"2020-04-07T09:21:19+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/a4d1fe2439fd7dbd534b8eba8b94cf5c\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png\",\"width\":1313,\"height\":673},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Firefox 75 will respect &#8216;nosniff&#8217; for Page Loads\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/a4d1fe2439fd7dbd534b8eba8b94cf5c\",\"name\":\"Sebastian Streich\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/5ae2aa1055487a323cc1eb8cfd5a240e\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8bbbb48726b93c4460fbef83d5227d51?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8bbbb48726b93c4460fbef83d5227d51?s=96&d=identicon&r=g\",\"caption\":\"Sebastian Streich\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Firefox 75 will respect 'nosniff' for Page Loads - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/","twitter_misc":{"Written by":"Sebastian Streich, Christoph Kerschbaumer","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/","url":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/","name":"Firefox 75 will respect 'nosniff' for Page Loads - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png","datePublished":"2020-04-07T09:21:19+00:00","dateModified":"2020-04-07T09:21:19+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/a4d1fe2439fd7dbd534b8eba8b94cf5c"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2020\/03\/image1.png","width":1313,"height":673},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2020\/04\/07\/firefox-75-will-respect-nosniff-for-page-loads\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Firefox 75 will respect &#8216;nosniff&#8217; for Page Loads"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/a4d1fe2439fd7dbd534b8eba8b94cf5c","name":"Sebastian Streich","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/5ae2aa1055487a323cc1eb8cfd5a240e","url":"https:\/\/secure.gravatar.com\/avatar\/8bbbb48726b93c4460fbef83d5227d51?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8bbbb48726b93c4460fbef83d5227d51?s=96&d=identicon&r=g","caption":"Sebastian Streich"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2573"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1698"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2573"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2573\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2573"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}