Comments (1)
It's a defense in depth feature. Some browsers / plugins will incorrectly interpret responses as HTML (a feature known as "content sniffing") regardless of other headers and their value, e.g. the Content-Type. This is particularly dangerous when certain characters which would otherwise be harmless in Javascript strings (e.g. "<") have meaning in HTML context.
It's not uncommon for input parameters to be reflected (e.g. picture a results object, { "searchTerm": "userInput", "results": [ ... ] } ) in responses. An attacker could craft a link like "https://example.com/ajaxSearch?term=$malicious_string" and if a user were to visit it, the script may execute (if content sniffed).
We try to guard against this in api_fixer.py by escaping '<' and so on as '\u003c', but this is another defense mechanism against that style of attack. By serving "content-disposition: attachment" the browser will prompt the user to save the file, rather than possibly execute malicious script in that web origin.
One compromise for local debugging (if you need to see these responses) might be to allow an option to disable this feature in the dev_appserver environment.
from gae-secure-scaffold-python.
Related Issues (12)
- Migrate from frame-src (deprecated) to child-src (replacement)
- reportOnly is removed from csp_policy which leads to unwanted behaviour HOT 1
- Vendored third party libraries aren't accounted for in test runner
- Documentation doesn't match links and SDK installation paths HOT 5
- Cannot whitelist methods for pickling. HOT 2
- Changes to index.yaml occur in out/ not src/ HOT 1
- Secure scaffold for Python 3
- xsrf _Compare function is vulnerable to timing attacks
- Windows 10 build question
- pip requirements.txt for all dependencies HOT 2
- Not able to run closurebuilder.py in same directory HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gae-secure-scaffold-python.