Documente online.
Zona de administrare documente. Fisierele tale
Am uitat parola x Creaza cont nou
 HomeExploreaza
upload
Upload




Internet Explorer MIME Handling Enforcement

windows en


ALTE DOCUMENTE

MIB Object Types for Windows NT
Programs for Windows XPT
Internet Explorer MIME Handling Enforcement

Internet Explorer MIME Handling Enforcement

What does MIME Handling Enforcement do?

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) type information to decide how to handle files that have been sent by a Web server. For example, when there is a Hypertext Transfer Protocol (HTTP) request for .jpg files, when they are received, they will generally be displayed to the user in an Internet Explorer window. If Internet Explorer receives an executable file, Internet Explorer generally prompts the user for a decision on how to handle the file.



In Windows XP Service Pack 2, Internet Explorer will follow stricter rules that are designed to reduce the attack surface for spoofing the In 616c23g ternet Explorer MIME-handling logic.

Who does this feature apply to?

Web developers need to be aware of these new restrictions to plan changes or workarounds for any possible impact to their Web site.

Application developers should review this feature to plan to adopt changes in their applications. The feature is not enabled for non-Internet Explorer processes by default and developers will need to register their applications to take advantage of the changes.

End users will be impacted by sites that are not compatible with these stricter rules.

What new functionality is added to this feature in Windows XP Service Pack 2?

MIME-handling file type agreement enforcement

Detailed description

When files are served to the client, Internet Explorer uses the following pieces of information to decide how to handle the file:

File name extension and the corresponding ProgID for the registered handler of that file name extension.

Content-Type from the HTTP header (MIME type) and the corresponding ProgID for the registered handler of that Content or MIME type.

Content-Disposition from the HTTP header.

Results of the MIME sniff.

In Windows XP Service Pack 2, Internet Explorer requires that all file-type information that is provided by Web servers is consistent.

Internet Explorer will enforce consistency between how a file is handled in the browser and how it is handled in the Windows Shell. Using the pieces of data listed above, Internet Explorer will compare the ProgID of the registered MIME handler to the ProgID of the application that would handle the file association. If there is a mismatch between the ProgIDs, Internet Explorer will attempt to load the file in the registered MIME handler but it will not execute the file if that handler fails to load the file.

Also, if the MIME type of a file is "text/plain" but the MIME sniff indicates that the file is really an HTML, media, or executable file, Internet Explorer will not increase the privilege of the file compared to the server's declared MIME type. In a MIME sniff, Internet Explorer examines, or sniffs, a file to recognize the bit signatures of certain types of files. If an incorrectly-configured Web server hosts HTML files but sends text/plain as the Content-Type in the HTTP header, Internet Explorer will show the file as plain text, rather than rendering the HTML. Users may also experience this problem with multimedia, executable and other files of high privilege hosted with an incorrect Content-Type header.

This change does not affect cases where a "content-disposition=attachment" header is sent. In those cases, the file name or extension suggested by the server is considered final and is not changed based on MIME sniffing.

Why is this change important? What threats does it help mitigate?

If file type information is misreported by the server and that information is saved to the computer, a file could be handled incorrectly later. For example, in the above example, Internet Explorer might download the file, assuming it is a text file. If the file has the .exe file name extension, the file might run later without prompting the user.

What works differently? Are there any dependencies?

Internet Explorer renames files in the Internet Explorer cache to enforce consistent handling of the file by all applications.

Web developers can isolate non-working applications due to this behavior by switching off the functionality, as covered in the Settings section later in this document.

How do I resolve these issues?

Web developers must change their Web servers to host files, using consistent headers and file name extensions.

MIME sniffing file type elevation

Detailed description

One of the backup criteria for determining a file type is the result of the MIME sniff. By examining (or sniffing) a file, Internet Explorer can recognize the bit signatures of certain types of files. In Windows XP Service Pack 2, Internet Explorer MIME sniffing will never promote a file of one type to a more dangerous file type. For example, files that are received as plain text but that include HTML code will not be promoted to the HTML type, which could contain malicious code.

Why is this change important? What threats does it help mitigate?

In the absence of other file type information, the MIME sniff might be the only information that determines how to handle a given file download. If, for instance, Internet Explorer upgrades a text file to an HTML file, the file might execute code from the browser and possibly elevate the file's security privilege.

What works differently? Are there any dependencies?

Web servers that do not include the correct Content-Type header with their files and that use non-standard file name extensions for HTML pages now have their pages rendered as plain text rather than HTML.

How do I resolve these issues?

You should configure Web servers to use the correct Content-Type headers or you can name the files with the appropriate file name extension for the application that should handle the file.

What settings are added or changed in Windows XP Service Pack 2?

Setting name

Location

Previous default value (if applicable)

Default value

Possible values

IExplore.exe

Explorer.exe

HKEY_LOCAL_MACHINE(or Current User)\Software \Microsoft \Internet Explorer\Main \FeatureControl \FEATURE_MIME_HANDLING\

None

0 (off),

1 (on)

IExplore.exe

Explorer.exe

HKEY_LOCAL_MACHINE(or Current User)\Software \Microsoft \Internet Explorer\Main \FeatureControl\FEATURE_MIME_SNIFFING\

None

1

0 (off),

1 (on)

Do I need to change my code to work with Windows XP Service Pack 2?

You should configure Web servers to use the correct Content-Type headers. You can also name the files with the appropriate file name extension for the application that should handle the file.


Document Info


Accesari: 2078
Apreciat: hand-up

Comenteaza documentul:

Nu esti inregistrat
Trebuie sa fii utilizator inregistrat pentru a putea comenta


Creaza cont nou

A fost util?

Daca documentul a fost util si crezi ca merita
sa adaugi un link catre el la tine in site


in pagina web a site-ului tau.




eCoduri.com - coduri postale, contabile, CAEN sau bancare

Politica de confidentialitate | Termenii si conditii de utilizare




Copyright © Contact (SCRIGROUP Int. 2024 )