On Wed, Jun 3, 2009 at 12:51 AM, Aryeh Gregor <simetrical+...@gmail.com> wrote: > Sending a text/plain Content-Type will not prevent any > (default-configured) version of IE from interpreting the file as HTML, > even if it's the *only* Content-Type header sent. This is why Adam > Barth said "The only browser that uses the first header more or less > ignores it anyway." This apparently isn't fixed even in IE8: it > insists on still upsniffing text/plain to text/html unless you use the > nonstandard header "Content-Type: text/plain; authoritative=true;".
http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx - it's "X-Content-Type-Options: nosniff" now (and is used a bit in practice - it's on about 0.1% of pages from http://www.dotnetdotcom.org/, though about half of them are owned by Google or Microsoft). -- Philip Taylor exc...@gmail.com
