Is it okay for (iOS) browsers to interpret application/octet-stream as HTML+JS?

Question

This is regarding the application/octet-stream test here:
https://ios.browsr-tests.com/alt/downloads.php

The desktop versions of Chrome, Firefox, and Safari will download the file. Same for Chrome and Firefox on Android. But on iOS, all three browsers execute/interpret the file as if it were HTML, including the Javascript it contains.

My question: Is that okay?

I know that downloads ought to use Content-Disposition: attachment, and this SO answer talks about not relying on Content-Type. But... this still seems wrong.

There were CVEs for treating text/plain as HTML (CVE-2010-1420, CVE-2013-5151). How is that really wrong but application/octet-stream is okay?

Answer 1

My question: Is that okay?

Ignoring the given Content-Type and instead guessing what it might be is a bad idea. This can for example result in bypassing external filters (like firewalls or proxies) which rely on the Content-Type for the type of analysis they do. And it would not be the first time if some parts of the browser use the original Content-Type for their decisions while other parts use the guessed Content-Type, which might result in bypassing browser internal restrictions and filters (like XSS protection filter or similar).

Apart from that such unexpected behaver differently from other browsers (and from the standard) is a nightmare for developers and can also cause security problems. Just imagine that the site offers a ways to upload various files which then get offered for download as application/octet-stream, in the hope that this will result in a download. Instead the iOS browser might interpret the file as HTML+JS which essentially results in a stored XSS.

It is recommended to forcible disable such guesses by setting X-Content-Type-Options=nosniff" in the HTTP header.