DoS of TBB when no Content-Type header and more than 512 bytes of content are sent
Following a user question in #tor where the user couldn't open the URL http://cdimage.debian.org/debian-cd/7.1.0/i386/iso-dvd/MD5SUMS in TBB, I decided to investigate the problem by simulating a webserver with netcat. (The file loads fine in non-TBB Firefox; the problem exists in both TBB beta and alpha, presumably also in stable.) Here are my findings:
The above resource is delivered without a Content-Type header by cdimage.debian.org.
Upon retrieving the resource, Firefox displays a blank page and starts consuming 100% CPU (only one core on SMP systems) periodically, backing down for a few seconds every now and then.
When adding a Content-Type header to the server response, Firefox shows the file in the browser (text/plain) or displays the content type warning dialog (other content type), as expected.
One can remove all headers (not including of course "HTTP/1.0 200 OK") and the problem will still occur.
The problem stops occurring once 512 bytes or less of content (without headers and \n\n) are sent. The content will then be displayed as a text file in Firefox.
There is no significant change on the wire between the two cases -- the reply consists of two TCP packets broken up at the same point.
In a nutshell, service can be denied by crafting a special server response to an ordinary HTTP request. However, because Firefox only consumes 1 core and occasionally backs down shortly, the user will likely be able to recover from the situation by closing the problematic tab.