tedster - 3:03 am on Oct 27, 2010 (gmt 0)
Browsers historically have not validated the MIME-type supplied by the server for HTML elements such as LINK and SCRIPT. For instance, all browsers will run script even if the SRC attribute indicates a file declared by the server to be text/plain.
This has created a potential attack vector for hostile sites. With the monster October update, IE6, IE7, and IE8 now block all cross-origin stylesheets delivered with the wrong HTTP response header. It's got to be Content-Type: text/css or it won't run.
In IE9, the mime-type sniffing is turned up another notch:
1. In IE9 Standards Mode, even same-origin stylesheets will be ignored unless they are delivered with a text/css MIME type.
2. SCRIPT elements will reject responses with incorrect MIME types if the server specifies X-Content-Type-Options: nosniff.
3. Documents delivered with a text/plain MIME type will not be MIME-sniffed to another type.
And the moral of the story is - make sure your server MIME types are properly set for all files. You may be seeing fails where previously were none.