MIME Types of script tag (for XSS)

XSS 테스트 도중에 이런 케이스가 있었는데, 실행이 안됬었습니다..

https://gph.is/1yw44rd


[ Request ]
?param=alert(45)/*PLAINTEXT*/

[ Response ]
<script type=“secret!">alert(45)/*
PLAINTEXT
*/</script>

Console 봐도 따로 에러도 안뜨고 … 이상했죠. 좀 뒤적뒤적 찾아보니 script tag에서 허용 가능한 MIME Type이 아니라서 발생한 문제였습니다.
(노리고 구현한건가….)

<script type="hahwul">alert(45)</script>
  <script type="application/ecmascript">console.log('1 - application/ecmascript');</script>
<script type="application/x-javascript">console.log('2 - application/x-javascript');</script>
<script type="text/javascript">console.log('3 - text/javascript');</script>
<script type="">console.log('4 - blank');</script>
<script >console.log('5 - none');</script>
<script type="module">console.log('6 - module');</script>
<script type="hahwul">console.log('7 - hahwul...zz');</script>

custom한 type은 동작하지 않습니다.


이외에도 몇개 더 있는데 허용된 MIME 타입을 보면 이렇습니다.
  +-----------------------------------------------------+
| text/javascript | text/ecmascript |
| text/javascript1.0 | text/javascript1.1 |
| text/javascript1.2 | text/javascript1.3 |
| text/javascript1.4 | text/javascript1.5 |
| text/jscript | text/livescript |
| text/x-javascript | text/x-ecmascript |
| application/x-javascript | application/x-ecmascript |
| application/javascript | application/ecmascript |
+-----------------------------------------------------+

Javascript MIME Types in RFC

MIME Type에 대한 내용은 RFC 문서에 정의되어 있습니다. 물론, RFC 문서 상 데이터가 전부는 아니고 module 같이 특수한 경우도 추가로 더 있습니다. 참고 정도로 보시면 좋을듯하니다.
http://www.rfc-editor.org/rfc/rfc4329.txt
7.  JavaScript Media Types


7.1. text/javascript (obsolete)


Type name: text
Subtype name: javascript
Required parameters: none
Optional parameters: charset, see section 4.1.
Encoding considerations:
The same as the considerations in section 3.1 of [RFC3023].


Security considerations: See section 5.
Interoperability considerations:
None, except as noted in other sections of this document.


Published specification: [JS15]
Applications which use this media type:
Script interpreters as discussed in this document.


Additional information:


Magic number(s): n/a
File extension(s): .js
Macintosh File Type Code(s): TEXT


Person & email address to contact for further information:
See Author's Address section.


Intended usage: OBSOLETE
Restrictions on usage: n/a
Author: See Author's Address section.
Change controller: The IESG.


7.2. application/javascript


Type name: application
Subtype name: javascript
Required parameters: none
Optional parameters: charset, see section 4.1.
Encoding considerations:
The same as the considerations in section 3.2 of [RFC3023].


Security considerations: See section 5.
Interoperability considerations:
None, except as noted in other sections of this document.


Published specification: [JS15]
Applications which use this media type:
Script interpreters as discussed in this document.


Additional information:


Magic number(s): n/a
File extension(s): .js
Macintosh File Type Code(s): TEXT


Person & email address to contact for further information:
See Author's Address section.


Intended usage: COMMON
Restrictions on usage: n/a
Author: See Author's Address section.
Change controller: The IESG.


etc….

Reference

http://www.rfc-editor.org/rfc/rfc4329.txt
https://developer.mozilla.org/ko/docs/Web/HTTP/Basics_of_HTTP/MIME_types