MIME Handling Changes in Internet Explorer 6 and up - Microsoft Edge forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

MIME Handling Changes in Internet Explorer 6 and up

tedster

3:03 am on Oct 27, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Browsers historically have not validated the MIME-type supplied by the server for HTML elements such as LINK and SCRIPT. For instance, all browsers will run script even if the SRC attribute indicates a file declared by the server to be text/plain.

This has created a potential attack vector for hostile sites. With the monster October update, IE6, IE7, and IE8 now block all cross-origin stylesheets delivered with the wrong HTTP response header. It's got to be Content-Type: text/css or it won't run.

In IE9, the mime-type sniffing is turned up another notch:

1. In IE9 Standards Mode, even same-origin stylesheets will be ignored unless they are delivered with a text/css MIME type.

2. SCRIPT elements will reject responses with incorrect MIME types if the server specifies X-Content-Type-Options: nosniff.

3. Documents delivered with a text/plain MIME type will not be MIME-sniffed to another type.

[blogs.msdn.com...]

And the moral of the story is - make sure your server MIME types are properly set for all files. You may be seeing fails where previously were none.

JAB Creations

4:43 am on Oct 27, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

This is where Safari comes in handy, it's error handling includes warnings about incorrect mimes.

- John

g1smd

8:30 am on Oct 27, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Now we start seeing all the sites that try cutting corners; when it would have taken mere minutes to do it right the first time.

jdMorgan

11:08 am on Oct 27, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Note that the "standard" Drupal .htaccess code currently returns the incorrect MIME-type for compressed CSS files.

See Drupal .htaccess file - Let's optimise it for speed and efficiency, and fix a few bugs [webmasterworld.com]

Jim

aleksl

3:12 pm on Oct 27, 2010 (gmt 0)

Here you go again. So once they find out they broke 50% of all sites, they are going to fall back on "compatibility mode" again... Just to avoid people's perception that it's not the internet, it's IE9 that's broken.

jdMorgan

4:26 pm on Oct 27, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Their "we know better than Webmasters" approach which led them to "MIME-sniffing" in the first place is the cause of this problem. If a site is broken, then render it as broken -- at least then there is then some chance that the Webmaster might fix it.

Instead we get the world where IE "sniffs" pages and included objects and tries to "figure out" the MIME-type, while every other browser simply accepts the HTTP Content-Type header sent by the server, as intended by the originators of the HTTP protocol.

This is unnecessary complication, leads to problems such as that described here, and only serves to make IE "look good" and other browsers "look bad" when rendering technically-broken sites. I'd rather see a few broken sites than suffer security problems.

Jim

g1smd

6:08 pm on Oct 27, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

We either let webmasters serve up broken sites, and therefore have to program browsers to accept any old junk - which will lead to more and more browser exploits OR we tighten things up so that browsers are more picky in what they allow. If that means that broken sites will display broken, then so be it. The onus should be on the webmaster to follow the standards, standards which have been around for more than decade now.