Mozilla Foundation Security Advisory 2009-16

jar: scheme ignores the content-disposition: header on the inner URI

April 21, 2009
Daniel Veditz
Fixed in
  • Firefox 3.0.9


Mozilla developer Daniel Veditz reported that when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrusted content that it serves from executing within the context of the site. An attacker could use this vulnerability to subvert sites using this mechanism to mitigate content injection attacks.

This vulnerability has not been fixed on the Mozilla 1.8.1 branch, which is used to build Firefox 2 and Thunderbird 2. However, note that there are several mitigating factors which prevent easy exploitation of this issue. In order for a website to be exploitable it must:

  1. Allow users to upload arbitrary content
  2. Allow users to set arbitrary MIME types, or specifically serve .jar files as application/java-archive or application/x-jar
  3. Serve the .jar files from a domain containing sensitive content which would otherwise be protected using Content-Disposition: attachment