Event 1064 - MIME Sniffing Restrictions - No Image Elevation to HTML
- Logged Message
- What Is It?
- When Is This Event Logged?
- Example
- Remediation
- Related topics
Logged Message
Windows Internet Explorer 8 uses MIME information to determine how to handle files sent by a Web server. For example, when Windows Internet Explorer receives a .jpg file, the user sees the file in an Windows Internet Explorer window. The MIME Handling Restrictions feature helps prevent script injection attacks against Web servers by ensuring that any content delivered with an IMAGE MIME is not treated as HTML or XML.
What Is It?
If an HTTP server sends content with a MIME type of image/*, then Internet Explorer interrogates the content to verify its type. If Internet Explorer determines that the content is not an image, but (potentially malicious) XML or HTML then it prevents the markup from executing.
When Is This Event Logged?
This event is logged when all of the following are true:
- An HTTP server sends content with a MIME type of image/*
- Internet Explorer does not recognize the content as a known image type (such as .gif or .png)
- Internet Explorer does detect that the content is actually XML or HTML
Example
For this example you will need Visual Web Developer Express (VWDE).
Create a new ASP.NET C# website in VWDE. Call the application MIMETest.
Open the file default.aspx within VWDE and replace its contents with the following:
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head > <title>MIME Sniffing Restrictions</title> </head> <body> <form id="form1" > <div> <a href="Handler.ashx">Send html as Gif Mime type.</a> </div> </form> </body> </html>Add a new item to the Web project. When prompted, select the Generic Handler Template. Name the file Handler.ashx. A Handler.ashx file is added to the project.
Now open Handler.ashx and replace its contents with the following:
<%@ WebHandler Language="C#" Class="Handler" %> using System; using System.Web; public class Handler : IHttpHandler { public void ProcessRequest (HttpContext context) { context.Response.ContentType = "image/gif"; context.Response.Write("<html><body><script>alert('test');</script><br /></body></html>"); } public bool IsReusable { get { return false; } } }Make Default.aspx the start page of the application
Press F5 to compile and run the site.
Click the hyperlink on the webpage. The HTTP response sends html to the browser with a image/gif MIME type. Since Internet Explorer interrogates the page and discovers it's actually HTML (and it's potentially dangerous), the event is logged to the compatibility tool.
Note that no message is displayed to the user in the browser when this event occurs. Instead the event is silently logged to the compatibility tool.
Remediation
A legitimate and compelling reason to serve HTML or XML content as an image has not been found, so generally, you should design your site in such a way that this does not become an issue. However there is an option to alter the default behavior through a feature control key.
Security Warning: The MIME Sniffing restrictions are designed to prevent potentially malicious script from being executed in the browser. Disabling the feature should only be used as a temporary measure during troubleshooting—to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.
This feature can be controlled through the following feature control key:
FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE
If a file that contains HTML is delivered as a known image type (for instance, "image/gif") and this feature control key is set to 0 (disabled), the contents of the file are displayed as HTML (unless the browser also receives a "X-Content-Type-Options: nosniff" response header from the Web server).
browser also receives a "X-Content-Type-Options: nosniff" response header from the Web server). This feature control is disabled by setting it to 0 and enabled by setting it to 1. If the feature control key does not exist in the registry, the default is enabled.