[whatwg] First or last Content-Type header?
Aryeh Gregor
Simetrical+w3c at gmail.com
Tue Jun 2 16:51:38 PDT 2009
On Tue, Jun 2, 2009 at 7:24 PM, Bil Corry<bil at corry.biz> wrote:
> The server should provide a single content-type header that specifies text/plain. In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain.
Sending a text/plain Content-Type will not prevent any
(default-configured) version of IE from interpreting the file as HTML,
even if it's the *only* Content-Type header sent. This is why Adam
Barth said "The only browser that uses the first header more or less
ignores it anyway." This apparently isn't fixed even in IE8: it
insists on still upsniffing text/plain to text/html unless you use the
nonstandard header "Content-Type: text/plain; authoritative=true;".
(The reason given is compatibility. As usual, Microsoft seems to have
compatibility problems where all other browsers have been doing the
right thing for years -- maybe because of their intranet usage share.
IE8 at least won't treat image/* as HTML anymore.)
So anyway, IE is irrelevant to this discussion.
Reference: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
More information about the whatwg
mailing list