httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff White" <>
Subject [users@httpd] Newer IE SP2 MIME Info
Date Sun, 16 May 2004 18:54:37 GMT

The one quote most non Windows
developers/user will need to fully
understand from below is:


Internet Explorer will enforce consistency
between how a file is handled in the browser
and how it is handled in the Windows Shell.



The Microsoft Windows user interface (UI)
provides users with access to a wide variety
of objects necessary for running applications
and managing the operating system.


Windows Shell

Transcript of TechNet Chat
Windows Shell Chat: GUI, Integration, Storage and More

The newer Windows XP SP2 IE info:


May 14, 2004

Zone Settings for MIME Sniffing

Detailed description

Windows XP Service Pack 2 introduces a new
feature control registry setting,
for file promotion from one type to another based
on a "MIME sniff." A MIME sniff is the recognition
by Internet Explorer of the file type based on a bit
signature. For more information about MIME sniffing,
see "Internet Explorer MIME Handling Enforcement,"
later in this document. When this registry setting is on,
you can use the URL action flag
to further control the setting in each individual security
zone. In Security Settings, this URL action is represented
by the option
Open files based on content, not file extension.
This option has two possible values, Enable or Disable:


Security settings are often applied to a zone
by a URL security zone template.


Why is this change important?
What threats does it help mitigate?

As originally envisioned, each feature control
setting would either be on or off for all security

Customer feedback indicated that more precise
tuning with the settings was necessary. For
example, the internal workflow of some organizations
depends on intranet applications. A feature control
that protects users in the Internet zone may cause an
intranet application to stop working. Because of this,
Microsoft has incorporated the ability to control these
security settings by zone.

What works differently?

MIME sniffing, described elsewhere in this document,
is a new feature that is introduced in Windows XP
Service Pack 2. Adding security settings by zone
provides more flexibility in applying the mime sniffing
security feature. This flexibility will provide a more
manageable implementation of this new security
feature, particularly in intranet scenarios.


Internet Explorer MIME Handling Enforcement


In Windows XP Service Pack 2, Internet Explorer
will follow stricter rules that are designed to reduce
the attack surface for spoofing the Internet Explorer
MIME-handling logic.

Who does this feature apply to?

Web developers need to be aware of these new
restrictions to plan changes or workarounds for any
possible impact to their Web site.

Application developers should review this feature
to plan to adopt changes in their applications. The
feature is not enabled for non-Internet Explorer
processes by default and developers will need to
register their applications to take advantage of the

End users will be impacted by sites that are not
compatible with these stricter rules.


Internet Explorer will enforce consistency between
how a file is handled in the browser and how it is
handled in the Windows Shell.


Also, if the MIME type of a file is "text/plain" but the
MIME sniff indicates that the file is really an HTML,
media, or executable file, Internet Explorer will not
increase the privilege of the file compared to the
server's declared MIME type. In a MIME sniff,
Internet Explorer examines, or sniffs, a file to
recognize the bit signatures of certain types of files.
If an incorrectly-configured Web server hosts HTML
files but sends text/plain as the Content-Type in the
HTTP header, Internet Explorer will show the file as
plain text, rather than rendering the HTML. Users may
also experience this problem with multimedia,
executable and other files of high privilege hosted
with an incorrect Content-Type header. This change
does not affect cases where a
"content-disposition=attachment" header is sent.
In those cases, the file name or extension suggested
by the server is considered final and is not changed
based on MIME sniffing.


Web developers can isolate non-working applications
due to this behavior by switching off the functionality,
as covered in the Settings section later in this document.

How do I resolve these issues?

Web developers must change their Web servers to
host files, using consistent headers and file name


Changes to Functionality in Microsoft
Windows XP Service Pack 2
Part 5: Enhanced Browsing Security


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message