[Full-disclosure] www.google.com xss vulnerability Using mhtml

[Michal Zalewski]

> 1.www.google.com app don't filter the CRLF

This is not strictly required; there are other scenarios where this
vulnerability is exploitable.

> 2.IE support mhtml protocol handler to render the mhtml file format,
> and this is the why mhtml: is designed

The real problem is that when mhtml: is used to fetch the container
over an underlying protocol, it does not honor Content-Type and
related headers (or even "nosniff").

/mz