W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] First or last Content-Type header?

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Tue, 2 Jun 2009 19:51:38 -0400
Message-ID: <7c2a12e20906021651g5bd3cccdhd3316dde5e97de0@mail.gmail.com>
On Tue, Jun 2, 2009 at 7:24 PM, Bil Corry<bil at corry.biz> wrote:
> The server should provide a single content-type header that specifies text/plain. ?In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain.

Sending a text/plain Content-Type will not prevent any
(default-configured) version of IE from interpreting the file as HTML,
even if it's the *only* Content-Type header sent.  This is why Adam
Barth said "The only browser that uses the first header more or less
ignores it anyway."  This apparently isn't fixed even in IE8: it
insists on still upsniffing text/plain to text/html unless you use the
nonstandard header "Content-Type: text/plain; authoritative=true;".

(The reason given is compatibility.  As usual, Microsoft seems to have
compatibility problems where all other browsers have been doing the
right thing for years -- maybe because of their intranet usage share.
IE8 at least won't treat image/* as HTML anymore.)

So anyway, IE is irrelevant to this discussion.

Reference: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
Received on Tuesday, 2 June 2009 16:51:38 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:12 UTC