Msg#: 4222564 posted 3:03 am on Oct 27, 2010 (gmt 0)
Browsers historically have not validated the MIME-type supplied by the server for HTML elements such as LINK and SCRIPT. For instance, all browsers will run script even if the SRC attribute indicates a file declared by the server to be text/plain.
This has created a potential attack vector for hostile sites. With the monster October update, IE6, IE7, and IE8 now block all cross-origin stylesheets delivered with the wrong HTTP response header. It's got to be Content-Type: text/css or it won't run.
In IE9, the mime-type sniffing is turned up another notch:
1. In IE9 Standards Mode, even same-origin stylesheets will be ignored unless they are delivered with a text/css MIME type.
2. SCRIPT elements will reject responses with incorrect MIME types if the server specifies X-Content-Type-Options: nosniff.
3. Documents delivered with a text/plain MIME type will not be MIME-sniffed to another type.
Msg#: 4222564 posted 3:12 pm on Oct 27, 2010 (gmt 0)
Here you go again. So once they find out they broke 50% of all sites, they are going to fall back on "compatibility mode" again... Just to avoid people's perception that it's not the internet, it's IE9 that's broken.
Msg#: 4222564 posted 4:26 pm on Oct 27, 2010 (gmt 0)
Their "we know better than Webmasters" approach which led them to "MIME-sniffing" in the first place is the cause of this problem. If a site is broken, then render it as broken -- at least then there is then some chance that the Webmaster might fix it.
Instead we get the world where IE "sniffs" pages and included objects and tries to "figure out" the MIME-type, while every other browser simply accepts the HTTP Content-Type header sent by the server, as intended by the originators of the HTTP protocol.
This is unnecessary complication, leads to problems such as that described here, and only serves to make IE "look good" and other browsers "look bad" when rendering technically-broken sites. I'd rather see a few broken sites than suffer security problems.
Msg#: 4222564 posted 6:08 pm on Oct 27, 2010 (gmt 0)
We either let webmasters serve up broken sites, and therefore have to program browsers to accept any old junk - which will lead to more and more browser exploits OR we tighten things up so that browsers are more picky in what they allow. If that means that broken sites will display broken, then so be it. The onus should be on the webmaster to follow the standards, standards which have been around for more than decade now.