Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

there are websites where you can upload files such as images, but they filter html for security reasons. if you can present that html to someone (eg. through deeplinking an iframe to the document), it could contain (or load) javascript that runs in the context of that site...


This is why it's important to correctly set the Content-Type header when serving files. Also why it's a good idea to have user-uploaded content served from a separate domain.


Some browsers might try to sniff the mime type, so an additional header would help : "X-Content-Type-Options: nosniff"[1]

1. https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-...


Thanks! I remembered something like that existing but I couldn't remember the header name :)


Please elaborate on the part about UCG from a separate domain. Why is this?


If someone uses this trick to upload a PNG like this to your server, and that person is tricked into running it as HTML, then that HTML has access to your cookies and can make make AJAX requests (circumvent same origin protection).

If user content is on a separate domain, they can't do that.

Also fishing is a lot easier when you're on the real domain...


Sorry, didn't see this comment earlier. GitHub's blog post on why they did this gives some good insight.

https://github.com/blog/1452-new-github-pages-domain-github-...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: