Introduction to the
Content sniffing, also known as media type sniffing or MIME sniffing, is the practice of examining the content of a byte stream in an attempt to infer the file format of the data in it. Content sniffing is usually used to compensate for metadata information when the media type is not specified exactly.
This article explains common scenarios for content sniffing and the problems that can arise.
MIME types
MIME stands for Multipurpose Internet Mail Extensions. It is a standard that indicates the nature and format of a document, file, or various bytes. It is defined in RFC 6838 of the IETF. The Internet Assigned Numbers Authority (IANA) is responsible for defining all official MIME types.
The MIME structure consists of two parts, type and subtype, separated by / :
type/subtype
Copy the code
Type represents the general category to which the data type belongs, such as video or text. Subtypes determine the exact kind of data for the specified type represented by the MIME type. For example, for MIME typed text, the subtype might be plain (plain text), HTML (HTML source code), or calendar (iCalendar/.ics) files.
Each type has its own set of possible subtypes, and a MIME type must contain both a type and a subtype.
Additional arguments can also be added:
type/subtype; parameter=valueCopy the code
For example, for any MIME type whose main type is text, the optional charset parameter can be used to specify the character set of characters in the data. If no character set is specified, the default is ASCII (US-ASCII), unless overridden by the user agent’s Settings. To specify a UTF-8 text file, use the MIME type text/plain; Charset = utf-8.
MIME types are case insensitive, but are traditionally lowercase, except for parameter values, which may or may not have a specific meaning.
MIME has two types, discrete and multipart.
Discrete types are types that represent a single file or medium, such as a single text or music file, or a single video.
Multipart types are files made up of multiple components, each with its own independent MIME type; Alternatively, multiple files encapsulated in a transaction sent together. For example, multiple attachments in E-mail are a multipart MIME type.
Let’s look at common discrete types:
- Application, for example:
application/octet-stream
.application/pdf
.application/pkcs8
andapplication/zip
And so on. - AudioList, for example:
audio/mpeg
.audio/vorbis
. - Font, for example:
font/woff
.font/ttf
andfont/otf
. - Image, for example:
image/jpeg
.image/png
andimage/svg+xml
. - Model, for example:
model/3mf
和model/vml
. - Text, for example:
text/plain
.text/csv
和text/html
. - For example:
video/mp4
.
Common Multipart types are as follows:
- Message, for example:
message/rfc822
andmessage/partial
. - MultipartList, such as multipart/form-data and
multipart/byteranges
.
Browser sniffing
Because browsers use MIME types, not file extensions, to determine how to handle a URL, it is important that the Web server sends the correct MIME Type in the content-Type header of the response. If not configured correctly, browsers may misinterpret the contents of files, websites may not function properly, and downloaded files may be processed incorrectly.
To solve this problem, or for a better user experience, many browsers do MIME content sniffing, which means parsing the contents of a file to guess the format of a MIME type.
Different browsers handle MIME sniffing differently. But they can create serious security vulnerabilities because some MIME types are executable, and a malicious attacker can obfuscate the MIME sniffing algorithm, allowing the attacker to do things that neither the site operator nor the user expected, such as cross-site scripting attacks.
If you don’t want browser sniffing, you can set the x-Content-type-options header in the server response, for example:
X-Content-Type-Options: nosniff
Copy the code
This header was first supported in IE 8, but almost all browsers now support this head type.
Client sniffing
We usually need to check whether the browser is Internet Explorer in JS, and then do the response processing:
var isIEBrowser = false; if (window.ActiveXObject) { isIEBrowser = true; } // Or, shorter: var isIE = (window.ActiveXObject ! == undefined);Copy the code
The example above is a very simple client sniffing that determines if the browser is IE by determining if the Window has ActiveXObject.
This article is available at www.flydean.com/content-sni…
The most popular interpretation, the most profound dry goods, the most concise tutorial, many tips you didn’t know waiting for you to discover!
Welcome to pay attention to my public number: “procedures those things”, understand technology, more understand you!