Should I use text/plain instead. Or is text/json actually going to turn out the same when it comes to cross-site security.
Either way, the content will be valid JSON, I just want to make sure I am right about the Content-Type header.
Asked
Active
Viewed 1,489 times
1
-
1The correct content type would be application/json – Musa Apr 27 '12 at 19:02
-
@Musa, to wit: http://stackoverflow.com/questions/477816/the-right-json-content-type Why not post that as an answer? – msanford Apr 27 '12 at 19:15
2 Answers
1
There are no security considerations affecting the choice of mime type for the request answer. Note that the proper mime type for JSON is application/json.
Sérgio Carvalho
- 1,035
- 1
- 7
- 8
-
I recommend you read the book The Tangled Web. It explains content sniffing in detail. – Erlend Apr 28 '12 at 05:10
-
Don't speak up from the soapbox. I read the Tangled Web. I still stand by my assertion that the content of the HTTP content header poses no security considerations. Whatever you can exploit with mime-type application/json you can exploit with text/plain. – Sérgio Carvalho Apr 29 '12 at 16:05
-
1In general or only in this specific scenario? (I don't understand what you mean by your first sentence, but sorry if I somehow offended you) – Erlend Apr 30 '12 at 09:56
-
2Btw. here is an example that seems to contradict your statement that "whatever you can exploit with mime-type application/json you can exploit with text/plain": http://erlend.oftedal.no/blog/research/json/testbench.html – Erlend May 29 '12 at 08:35
1
yes, there are security implications. Browsers - especially IE - will often second guess the content type. The reasoning is that some time back, servers delivered everything as the same content type so browsers had to make guesses to display things correctly. Text/plain is notorious for content sniffing (second guessing). If your json contains html inside some of the values, there is a chance that if you open the url directly in the browser, the browser will determine that its HTML and render it. This could lead to XSS.
Erlend
- 4,215
- 20
- 25
-
2This is a common myth and as myths usually go, it is false. The Microsoft reference for mime type detection is: http://msdn.microsoft.com/en-us/library/ms775147%28v=vs.85%29.aspx Note, from that document that: a) text/plain is never rendered as HTML in the restricted zone; and b) Unknown mime types are never guessed. This is the behavior all the way back from IE6SP2, launched eight years ago. text/json either is handled as json or handled as an unknown type. It's XSS safe. – Sérgio Carvalho Apr 29 '12 at 16:24
-
1I see this discussion popping up in forums from time to time. Random example from 2011: http://www.highdots.com/forums/html/ie-ignores-text-plain-again-299596.html – Erlend Apr 30 '12 at 10:00
-
I set up a testbed a while back, which indicates that at least IE9 will treat text/plain as HTML under some circumstances: http://erlend.oftedal.no/blog/research/json/testbench.html – Erlend Mar 12 '13 at 19:34