RE: Microsoft's "I mean it" content-type parameter

Unfortunately, the existing option in the IE6+ Security Zones UI is both poorly named and does not really do what it implies.  Rather than turning off sniffing altogether, it modifies the behavior only in the case of an "ambiguous" MIME type.  Specifically, "text/plain" and IIRC "application/octet-stream."

The new authoritative=true attribute introduced for IE8 Beta-2, on the other hand, will be effective for all MIME types.  You can simply see what behavior change would result if IE were to universally change behavior by writing a small Fiddler (www.fiddler2.com) response modification rule that sets the authoritative=true attribute for all HTTP responses.

Please do keep in mind, however, that most folks (even the ultra-web engaged on these lists) see but a small fraction of the web, especially considering private address space/intranets, etc.

Thanks,

Eric Lawrence
Program Manager
Internet Explorer - Security
________________________________________
From: ietf-http-wg-request@w3.org [ietf-http-wg-request@w3.org] On Behalf Of Adam Barth [w3c@adambarth.com]
Sent: Thursday, July 03, 2008 11:18 PM
To: Julian Reschke
Cc: Karl Dubost; HTTP Working Group; HTML WG
Subject: Re: Microsoft's "I mean it" content-type parameter

On Thu, Jul 3, 2008 at 11:12 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
> Adam Barth wrote:
>> I recommend the experiment I mentioned, compiling a browser without
>> content sniffing and actually trying to use the web for a reasonable
>> amount of time.
>
> Or switch it off in the browser, when on IE7:
> <http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx#364853>.

Oh nice, I didn't know about that.  I've attached an (untested) patch
that I think turns off content sniffing in TOT Firefox for those that
would like to try this out.

Adam

Received on Sunday, 6 July 2008 01:27:49 UTC