Historical

Content-Type

October 1, 2020
Abuse typeMustMatch, iframes, Content-Type, Status Code
Category Historical
Defenses Deprecation

Leaking the Content-Type of a request would provide attackers with a new way of distinguishing two requests from each other. typeMustMatch # typeMustMatch is a Boolean that reflects the typeMustMatch attribute of the object element. It ensures that a certain MIME type must be enforced when loading an object, by verifying if the Content-Type of the resource is the same as the one provided in the object. Unfortunately, this enforcement also allowed attackers to leak the Content-Type and Status Codes returned by a website 1. ...

Stateful Browser Features

October 1, 2020
Category Historical
Defenses Browser Fix

Some browser features/extensions change the way requests are processed, depending on certain website states generated by the browser. Attackers can sometimes observe the whole process and mess with the browser, triggering actions that produce side effects on those states. WebKit – ITP # Intelligent Tracking Prevention (ITP) is a privacy feature which is part of WebKit Tracking Prevention technologies. It’s a conjunction of several features and aims to prevent a website from tracking a user under a third-party context. ...