Background
By default, many web servers are configured to report a MIME type of text/plain
or application/octet-stream
for unknown content types. As new content types are invented or added to web servers, web administrators may fail to add the new MIME types to their web server's configuration. This is a major source of problems for users of Gecko-based browsers, which respect the MIME types as reported by web servers and web applications.
What are MIME types?
MIME types describe the media type of content either in email or served by web servers or web applications and are intended to help guide a web browser in how the content is to be processed and displayed. Examples of MIME types are:
text/html
for normal web pagestext/plain
for plain textapplication/octet-stream
meaning "download this file"application/x-java-applet
for Java™ appletsapplication/pdf
for Adobe® PDF documents.
Technical Background
MIME is currently defined in RFCs 2045, 2046, 2047, 2048, and 2049 and registered values for MIME types are available in IANA | MIME Media Types. The HTTP specification defines a superset of MIME which is used to describe the media types used on the web.
Why are correct MIME types important?
If the web server or application reports an incorrect MIME type for content, a web browser has no way, according to the HTTP specification, of knowing that the author actually intended the content to be processed and displayed in a way different from that implied by the reported MIME type.
Some other web browsers, such as Microsoft® Internet Explorer, try to allow for misconfigured web servers and applications by guessing what the correct MIME type should be. This has sheltered many web administrators from their own errors, since Internet Explorer will continue to process content as expected even though the web server is misconfigured, e.g. displays an image which is reported to be plain text.
Serving content using the correct MIME type can also be important for security reasons; it's possible for malicious content to affect the user's computer by pretending to be a safe type of document when it is in fact not.
Note: Historically, Firefox has loaded CSS files even if they had the wrong MIME type, as long as the HTML document that requested them was being processed in quirks mode. For security reasons, Gecko 2.0 will no longer do this for stylesheets loaded from a different origin than the requesting document. If your stylesheet comes from a different origin than the document, you must serve it with the correct MIME type (text/css
).
Gecko 1.9.1.11 (Firefox 3.5.11) and Gecko 1.9.2.5 (Firefox 3.6.5) also implement this security fix, but to improve compatibility, there was a temporary heuristic that allows the load if the first line in the style sheet appears to be a well-formed CSS construct; the heuristic has been removed in Firefox 4, and you have to properly set the text/css
MIME types to have your CSS pages recognized.
Why browsers should not guess MIME types
Apart from violating the HTTP specification, it is a bad strategy for browsers to guess MIME types for the following reasons:
Loss of control
If the browser ignores the reported MIME type, web administrators and authors no longer have control over how their content is to be processed.
For example, a web site oriented for web developers might wish to send certain example HTML documents as either text/html
or text/plain
in order to have the documents either processed and displayed as HTML or as source code. If the browser guesses the MIME type, this option is no longer available to the author.
Security
Some content types, such as executable programs, are inherently unsafe. For this reason these MIME types are usually restricted in terms of what actions a web browser will take when given content of that type. An executable program should not be executed on the user's computer and at most should cause a dialog to appear asking the user if they wish to download the file.
MIME type guessing has led to security exploits in Internet Explorer which were based upon a malicious author incorrectly reporting a MIME type of a dangerous file as a safe type. This bypassed the normal download dialog resulting in Internet Explorer guessing that the content was an executable program and then running it on the user's computer.
How to determine the MIME type sent by a server
In Firefox, load the file and use Tools | Page Info. You can also use Rex Swain's HTTP Viewer or Live HTTP Headers to see the full headers and content of any file sent from a web server.
According to the standards, a meta
tag that gives the MIME type such as <meta http-equiv="Content-Type" content="text/html">
should be ignored if there's a Content-Type
line in the header. Instead of looking for this line in the HTML source, use the above techniques to determine the MIME type sent by the server.
How to determine the correct MIME type for your content
There are several steps which you can take to determine the correct MIME type value to be used for your content.
- If your content was created using a vendor's software application, read the vendor's documentation to see what MIME types should be reported for different media types.
- Look in the IANA | MIME Media Types registry which contains all registered MIME types.
- If the media type is displayed using a plug-in in Netscape Gecko, install the plug-in and then look in the Help->About Plug-ins Menu to see what MIME types are associated with the media type.
- Search for the file extension in FILExt or File extensions reference to see what MIME types are associated with that extension.
How to set up your server to send the correct MIME types
The fundamental idea is to configure your server to send the correct Content-Type
HTTP header for each document.
- If you're using the Apache web server, simply copy this sample .htaccess file to the directory that contains the files that you want to send with the correct MIME types. If you have an entire subdirectory of files, just place the file in the parent directory; you need not place it in each subdirectory.
- If you're using Microsoft IIS, see this article at Microsoft TechNet.
- If you're using a server-side script to generate content, you can generally add one line near the top of your script. You can serve content other than HTML from Perl, PHP, ASP, or Java — just change the MIME type accordingly.
- For Perl CGI, you should have the line
print "Content-Type: text/html\n\n";
before any other output lines. If you're using the CGI module, you can use the lineprint $cgi->header('text/html');
instead, where$cgi
is your reference to the CGI instance. - For PHP, you should have the line
header('Content-Type: text/html');
before any other output lines. - For ASP, you should have the line
response.ContentType = "text/html";
before any other output lines. - For a Java servlet, you should have the line
response.setContentType("text/html");
at the top of yourdoGet
ordoPost
method, whereresponse
is a reference to theHttpServletResponse
.
- For Perl CGI, you should have the line
Related Links
- Incorrect MIME Type for CSS Files
- IANA | MIME Media Types
- Hypertext Transfer Protocol — HTTP/1.1
- Microsoft - 293336 - INFO: WebCast: MIME Type Handling in Microsoft Internet Explorer
- Microsoft - Appendix A: MIME Type Detection in Internet Explorer
- Microsoft - Security Update, March 29, 2001
- Microsoft - Security Update, December 13, 2001
Original Document Information
- Author: Bob Clary, date: 20 Feb 2003