[whatwg] First or last Content-Type header?

On Tue, Jun 2, 2009 at 7:24 PM, Bil Corry<bil at corry.biz> wrote:
> The server should provide a single content-type header that specifies text/plain. ?In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain.

Sending a text/plain Content-Type will not prevent any
(default-configured) version of IE from interpreting the file as HTML,
even if it's the *only* Content-Type header sent.  This is why Adam
Barth said "The only browser that uses the first header more or less
ignores it anyway."  This apparently isn't fixed even in IE8: it
insists on still upsniffing text/plain to text/html unless you use the
nonstandard header "Content-Type: text/plain; authoritative=true;".

(The reason given is compatibility.  As usual, Microsoft seems to have
compatibility problems where all other browsers have been doing the
right thing for years -- maybe because of their intranet usage share.
IE8 at least won't treat image/* as HTML anymore.)

So anyway, IE is irrelevant to this discussion.

Reference: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx

Received on Tuesday, 2 June 2009 16:51:38 UTC