Sunday, September 9, 2018

MIME sniffing (Explained by Example)

Any content that is served through HTTP web “should” include meta data about its type. This is so the browser/client knows what to do with it, if the content type header is an image it will preview it, if it is HTML it will render it and execute any javascript code.

Content type however is optional and web masters sometimes don’t set it, which leave the browsers wondering about the content type it is consuming. So browsers started consuming the actual content and parse it in order to detect the type.

However, this caused security concerns that we explain in this video! So to prevent sniffing, web servers can return X-Content-Type-Options: nosniff which opts out browsers from sniffing the content.

Media types: