I ran across this article about IE’s ‘wonderful’ MIME sniffing. Take a look at this report. Apparently, Internet Explorer looks at the first 256 characters of the file requested. If IE thinks it looks like HTML, it interprets it as HTML! So if the first 256 chararacters have say
<script>run some evil cross-site scripting stuff.....</script>
IE is more than happy to aid-and-abet screwing over the user of IE. What I find really horrid is this:
Well, Microsoft thought different and implemented something they call MIME Type Detection. It means they use the first few hundred bytes of the data and try to guess what the content is. This is a nice idea and even mentioned in RFC 2616:
If and only if the media type is not given by a Content-Type field, the recipient MAY attempt to guess the media type via inspection of its content […]
Unfortunately Microsoft got the order somehow tangled up: They ignore the sent type and do their guessing first.
Google avoids this problem by putting in the output Http header:
Content-Disposition: attachment. This forces all browsers to download the content. Other services recode jpgs, ico’s and the like. But at the end of the day come on guys!