Microsoft v Google: Handbags Drawn Over HTTP Standards

Eric Lawrence, the Security Program Manager on the IE team at Microsoft has written a blog post about various security features being built into IE8. The post covers everything from XSS, File upload handling, HTML and JSON sanitization and a lot more. The interesting part of the post is about how IE will handle the content-type header, and MIME types. Currently IE (and other browsers) will usually ignore the specified content-type header specified by the server and attempt to interpret the content in the resposne themselves (this is referred to as MIME sniffing). Sometimes the content type detected by the sniffing process is different to the content-type header as specified by the server – and this is where problems arise, in the way different browsers detect and handle different content types.

Sam Ruby posted a quote from the IE blog post where Eric says that IE8 will allow site owners to opt-out of the MIME sniffing process and instead respect the content-type header as specified by the server by adding authoritative=true to the header. Ruby and others strongly supported the initiative, and stated that other browsers should support the same handler as a method for enforcing server content-type headers. The issue here is if enforcing the server-specified content type should be assumed, ie. true by default, as the HTML5 specification assumes false as default (ie. handing over MIME detection and over-ruling to the browser rather than the server or developer).

Sam was attacked in the comment thread for supporting the new ‘standard’, and Dare Obasanjo (a Microsoft employee) chimed in on FriendFeed stating that he found it ironic that Google employees were criticizing Microsoft employees for unilaterally (ie. via a blog post announcement) announcing a new standard way of handling the server content type.

The fight over browser standards continues, and most of these issues are fleshed out on blogs and in a small community – with many of the participants being employees of one organization or another. While having a server have to assert that what it claims as a content type is actually true might seem pedantic, there is a broader issue here about friction between various parties. Small issues can blow up as Microsoft has the leverage to force some parts of what might become a standard because of their market share with IE. There is no right or wrong in this argument, on some issues there is a common sense approach but most participants are blinded by factionalism – which doesn’t bode well for HTML5 as a fresh-slate stanards effort.