Build toy hapi file server to experiment w/ security concerns
CSP
HSTS
Content-Type / mime sniffing
What if no Content-Type is set?
Possible to get a browser to execute avatar.jpg? Omit content-type? Try to inline app/octet-stream? Set Content-Type to js?
Can you inline app/octet-stream?
Really, is there any benefit to setting Content-Type? Does this actually help us avoid mime-sniffing, such that we could accept what looks like a valid file per extension, but then end up executing some code due to displaying the image without enough info e.g. trying to display an app/octet-stream image inline, that’s actually a JS file? Is it ever worth the effort to set Content-Type? It is necessary for inlining, but otherwise not? To inline, do you need to set Content-Disposition?
Is mime sniffing still a thing?
If you navigate to a link to an application/octet-stream file, does it always download, even if no download attr on the ?
Build toy hapi file server to experiment w/ security concerns
Content-Type / mime sniffing
Reading
https://macarthur.me/posts/trigger-cross-origin-download
https://security.stackexchange.com/questions/256357/is-mime-sniffing-still-something-to-protect-against-with-modern-browsers-with-x https://wanago.io/2022/03/14/mime-sniffing-x-content-type-options-content-type/ https://mimesniff.spec.whatwg.org/