homepage Welcome to WebmasterWorld Guest from 184.73.52.98
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Home / Forums Index / Browsers / Microsoft Internet Explorer
Forum Library, Charter, Moderator: open

Microsoft Internet Explorer Forum

    
MIME Handling Changes in Internet Explorer 6 and up
tedster




msg:4222566
 3:03 am on Oct 27, 2010 (gmt 0)

Browsers historically have not validated the MIME-type supplied by the server for HTML elements such as LINK and SCRIPT. For instance, all browsers will run script even if the SRC attribute indicates a file declared by the server to be text/plain.

This has created a potential attack vector for hostile sites. With the monster October update, IE6, IE7, and IE8 now block all cross-origin stylesheets delivered with the wrong HTTP response header. It's got to be Content-Type: text/css or it won't run.

In IE9, the mime-type sniffing is turned up another notch:

1. In IE9 Standards Mode, even same-origin stylesheets will be ignored unless they are delivered with a text/css MIME type.

2. SCRIPT elements will reject responses with incorrect MIME types if the server specifies X-Content-Type-Options: nosniff.

3. Documents delivered with a text/plain MIME type will not be MIME-sniffed to another type.

[blogs.msdn.com...]


And the moral of the story is - make sure your server MIME types are properly set for all files. You may be seeing fails where previously were none.

 

JAB Creations




msg:4222596
 4:43 am on Oct 27, 2010 (gmt 0)

This is where Safari comes in handy, it's error handling includes warnings about incorrect mimes.

- John

g1smd




msg:4222647
 8:30 am on Oct 27, 2010 (gmt 0)

Now we start seeing all the sites that try cutting corners; when it would have taken mere minutes to do it right the first time.

jdMorgan




msg:4222694
 11:08 am on Oct 27, 2010 (gmt 0)

Note that the "standard" Drupal .htaccess code currently returns the incorrect MIME-type for compressed CSS files.

See Drupal .htaccess file - Let's optimise it for speed and efficiency, and fix a few bugs [webmasterworld.com]

Jim

aleksl




msg:4222786
 3:12 pm on Oct 27, 2010 (gmt 0)

Here you go again. So once they find out they broke 50% of all sites, they are going to fall back on "compatibility mode" again... Just to avoid people's perception that it's not the internet, it's IE9 that's broken.

jdMorgan




msg:4222846
 4:26 pm on Oct 27, 2010 (gmt 0)

Their "we know better than Webmasters" approach which led them to "MIME-sniffing" in the first place is the cause of this problem. If a site is broken, then render it as broken -- at least then there is then some chance that the Webmaster might fix it.

Instead we get the world where IE "sniffs" pages and included objects and tries to "figure out" the MIME-type, while every other browser simply accepts the HTTP Content-Type header sent by the server, as intended by the originators of the HTTP protocol.

This is unnecessary complication, leads to problems such as that described here, and only serves to make IE "look good" and other browsers "look bad" when rendering technically-broken sites. I'd rather see a few broken sites than suffer security problems.

Jim

g1smd




msg:4222903
 6:08 pm on Oct 27, 2010 (gmt 0)

We either let webmasters serve up broken sites, and therefore have to program browsers to accept any old junk - which will lead to more and more browser exploits OR we tighten things up so that browsers are more picky in what they allow. If that means that broken sites will display broken, then so be it. The onus should be on the webmaster to follow the standards, standards which have been around for more than decade now.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Browsers / Microsoft Internet Explorer
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved