You won't be able to assemble a comprehensive list of dangerous MIME types.
While it's straightforward to block text/html
, text/xml
, image/svg+xml
, etc., there are many obscure legacy or vendor-specific MIME types that aren't widely known and might work in some browsers. E.g., the MIME type application/vnd.wap.xhtml+xml
is understood as XML in Firefox while it won't trigger in Chrome at all. Proof of concept:
data:application/vnd.wap.xhtml+xml,<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</x:script>
Also, there are MIME types that don't immediately lead to XSS but have side effects. E.g., an attacker might want to trick a user into installing a Firefox plugin by supplying content with a application/x-xpinstall
MIME type. (This attack will have some additional hurdles, but you get the idea.)
Finally, third-party vendors might also register their own custom MIME types (think Flash applets with application/x-shockwave-flash
, JAVA applets, embedded media players, etc.) some of which have the ability to execute script code. It will be hard to keep track of these on your blacklist.
In conclusion - if you're planning a real-life implementation, you should whitelist harmless MIME types instead of blacklisting dangerous ones.