Comments on: XSS Vulnerability in Internet Explorer HTML Attachment Download

By: Stephen

Stephen — Mon, 27 Jun 2011 18:36:33 +0000

I don’t know why you say “Now IE8 behaves like Firefox”. Your example page still shows the problem in Internet Explorer 8 when I test it.

It’s fixed in IE9, though. IE9 behaves like Firefox.

For IE8, the “noopen” header is needed for MOST files, not just HTML, due to IE’s mime-type sniffing algorithm. Serving a file as application/octet-stream? Need to disallow “Open” because it may get sniffed as HTML!

And “nosniff” doesn’t seem to have any effect in combination with with “attachment”.

By: HackTalk

HackTalk — Mon, 02 Aug 2010 20:40:45 +0000

Shell of the Future v0.9.0.2 Released…

This was a really good post I mentioned it on my blog…

By: Minh

Minh — Thu, 16 Jul 2009 19:43:52 +0000

Yeah,

I totally agree – firefox handles this far better.

Do you know of any way of handling this issue for older versions of IE 6 & 7?