On Mon, August 7, 2006 9:53 am, Scott MacVicar wrote: > After we recently experienced an XSS through what can only be > described > as IE's shocking attempt at determining the mime type from the data > and > ignoring what the server sent
In case anybody finds this in a Google search, I have found that this IE stupidity or ignoring headers can be worked-around at an application level by: A) Forcing the URL to end in the .xyz extension Windows is configured to believe is the given type of document (eg .pdf for PDF) B) Putting the content-type/charset in a META tag within an HTML document [1] [1] This one really only applies to charset -- apparently, Microsoft believes web Designers are smarter than web Developers about content-type... :-v -- Like Music? http://l-i-e.com/artists.htm -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
