Mozilla Firebox browser seems to have developed a tough stance against the MIME Confusion attacks and as a result, has greatly improvised its MIME sniffing ways. Usually, the web browser detects the format of the file without referring to the metadata sent by the web server.
MIME confusion attacks
Now, if the web server sends Content-Type of “image/jpg” Firefox will override the file type part and automatically execute it as an image file. This method is referred to as “MIME sniffing” colloquially. This method also compensates in the case of complete absence of metadata. While the MIME sniffing is actually used to optimize the users experience it also throws open an attack vector called MIME confusion attack.
Beginning from Firefox 50, Firefox will reject stylesheets completely if their images or scripts do not match the MIME types, thus eventually evading the MIME confusion attacks. In such cases, the server sends the response header “X-Content-Type-Options:nosniff”.” The message will be displayed as shown in the screenshot below. Also, we have mentioned the valid content types,
Valid Content-Types for images:
– have to start with “image/”
Valid Content-Types for Scripts:
The bottom line is that browsers like Mozilla Firefox are working towards ensuring a more secure web devoid of malware’s and attacks. MIME confusion attacks have been one of the simpler forms of attacks and by clocking the same Firefox has further strengthened its commitment towards internet security.