- In 2020
was rebuilt as a
-based browser
and now has the same results as
Conditions:
- X-Content-Type-Options: nosniff
| Content-Type | Format | Browsers | PoC |
|---|---|---|---|
| text/html | html | link | |
| application/xhtml+xml | xml | link | |
| application/xml | xml | link | |
| text/xml | xml | link | |
| image/svg+xml | xml | link | |
| text/xsl | xml | link | |
| text/xsl (UPD 2024) | html | link | |
| application/vnd.wap.xhtml+xml | xml | link | |
| multipart/x-mixed-replace | multipart html | link | |
| text/rdf | xml | link | |
| application/rdf+xml | xml | link | |
| application/mathml+xml | xml | link | |
| text/vtt | html | link | |
| text/cache-manifest | html | link |
| Trick | Separators | Example | Browsers | PoC |
|---|---|---|---|---|
| Multiple Content-Type | , | Fetch Spec: Example Extract a Mime Type Content-Type: text/plain; x=x, text/html, foobar |
link | |
| Mime-type separators | 0x09 ( | Content-Type: text/html(xxx | 0x09 0x28 | |
| Mime-type separators | 0x20 | Content-Type: text/html xxx | 0x20 | |
| Mime-type separators | , ; | Content-Type: text/html,xxx | 0x2C |