- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Tue, 2 Jun 2009 19:51:38 -0400
On Tue, Jun 2, 2009 at 7:24 PM, Bil Corry<bil at corry.biz> wrote: > The server should provide a single content-type header that specifies text/plain. ?In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain. Sending a text/plain Content-Type will not prevent any (default-configured) version of IE from interpreting the file as HTML, even if it's the *only* Content-Type header sent. This is why Adam Barth said "The only browser that uses the first header more or less ignores it anyway." This apparently isn't fixed even in IE8: it insists on still upsniffing text/plain to text/html unless you use the nonstandard header "Content-Type: text/plain; authoritative=true;". (The reason given is compatibility. As usual, Microsoft seems to have compatibility problems where all other browsers have been doing the right thing for years -- maybe because of their intranet usage share. IE8 at least won't treat image/* as HTML anymore.) So anyway, IE is irrelevant to this discussion. Reference: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
Received on Tuesday, 2 June 2009 16:51:38 UTC