github
html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
---|---|---|---|---|---|---|---|---|---|---|---|
https://github.com/simonw/datasette/issues/1036#issuecomment-713186189 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713186189 | MDEyOklzc3VlQ29tbWVudDcxMzE4NjE4OQ== | 9599 | 2020-10-20T22:56:33Z | 2020-10-20T22:56:33Z | OWNER | I think this plus the binary-CSV stuff in #1034 will justify a dedicated section of the documentation to talk about how Datasette handles binary BLOB columns. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713185871 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713185871 | MDEyOklzc3VlQ29tbWVudDcxMzE4NTg3MQ== | 9599 | 2020-10-20T22:55:36Z | 2020-10-20T22:55:36Z | OWNER | I can also use a `Content-Disposition` header to force a download. I'm reasonably confident that the combination of `Content-Disposition` and `X-Content-Type-Options: nosniff` and `application/binary` will let me allow users to download the contents of arbitrary BLOB columns without any XSS risk. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713185173 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713185173 | MDEyOklzc3VlQ29tbWVudDcxMzE4NTE3Mw== | 9599 | 2020-10-20T22:53:41Z | 2020-10-20T22:53:41Z | OWNER | https://security.stackexchange.com/questions/12896/does-x-content-type-options-really-prevent-content-sniffing-attacks says: > In Tangled Web Michal Zalewski says: > > > Refrain from using Content-Type: application/octet-stream and use application/binary instead, especially for unknown document types. Refrain from returning Content-Type: text/plain. > > > > For example, any code-hosting platform must exercise caution when returning executables or source archives as application/octet-stream, because there is a risk they may be misinterpreted as HTML and displayed inline. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713184374 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713184374 | MDEyOklzc3VlQ29tbWVudDcxMzE4NDM3NA== | 9599 | 2020-10-20T22:51:22Z | 2020-10-20T22:51:22Z | OWNER | From https://hackerone.com/reports/126197: > archive.uber.com mirrors pypi. When downloading `.tar.gz` files from archive.uber.com, the MIME type is `application/octet-stream`. Injecting `<html><script>alert(0)</script>` into the start of the `.tar.gz` causes an XSS in Internet Explorer due to MIME sniffing. So you do have to be careful not to open accidental XSS holes with `application/octet-stream` thanks to (presumably older) versions of IE. From that thread it looks like the solution is to add a `X-Content-Type-Options: nosniff` header. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713183306 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713183306 | MDEyOklzc3VlQ29tbWVudDcxMzE4MzMwNg== | 9599 | 2020-10-20T22:48:10Z | 2020-10-20T22:48:10Z | OWNER | Twitter thread: https://twitter.com/dancow/status/1318681053347840005 | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 |