Properly Configuring Server MIME Types

Background

By default, many web servers are configured to report a MIME type of text/plain or application/octet-stream for unknown content types. As new content types are invented or added to web servers, web administrators may fail to add the new MIME types to their web server's configuration. This is a major source of problems for users of Gecko-based browsers, which respect the MIME types as reported by web servers and web applications.

What are MIME types?

MIME types describe the media type of content either in email or served by web servers or web applications and are intended to help guide a web browser in how the content is to be processed and displayed. Examples of MIME types are:

  • text/html for normal web pages
  • text/plain for plain text
  • application/octet-stream meaning "download this file"
  • application/x-java-applet for Java applets
  • application/pdf for Adobe® PDF documents.

Technical Background

MIME is currently defined in RFCs 2045, 2046, 2047, 2048, and 2049 and registered values for MIME types are available in IANA | MIME Media Types. The HTTP specification defines a superset of MIME which is used to describe the media types used on the web.

Why are correct MIME types important?

Example of an incorrect MIME type result If the web server or application reports an incorrect MIME type for content, a web browser has no way, according to the HTTP specification, of knowing that the author actually intended the content to be processed and displayed in a way different from that implied by the reported MIME type.

Some other web browsers, such as Microsoft® Internet Explorer, try to allow for misconfigured web servers and applications by guessing what the correct MIME type should be. This has sheltered many web administrators from their own errors, since Internet Explorer will continue to process content as expected even though the web server is misconfigured, e.g. displays an image which is reported to be plain text.

Serving content using the correct MIME type can also be important for security reasons; it's possible for malicious content to affect the user's computer by pretending to be a safe type of document when it is in fact not.

Note: Historically, Firefox has loaded CSS files even if they had the wrong MIME type, as long as the HTML document that requested them was being processed in quirks mode. For security reasons, Gecko 2.0 will no longer do this for stylesheets loaded from a different origin than the requesting document. If your stylesheet comes from a different origin than the document, you must serve it with the correct MIME type (text/css).

Gecko 1.9.1.11 (Firefox 3.5.11) and Gecko 1.9.2.5 (Firefox 3.6.5) also implement this security fix, but to improve compatibility, there's a temporary heuristic that allows the load if the first line in the style sheet appears to be a well-formed CSS construct.

You need to fix your site; this temporary workaround will go away in Firefox 4.

Why browsers should not guess MIME types

Apart from violating the HTTP specification, it is a bad strategy for browsers to guess MIME types for the following reasons:

Loss of control

If the browser ignores the reported MIME type, web administrators and authors no longer have control over how their content is to be processed.

For example, a web site oriented for web developers might wish to send certain example HTML documents as either text/html or text/plain in order to have the documents either processed and displayed as HTML or as source code. If the browser guesses the MIME type, this option is no longer available to the author.

Security

Some content types, such as executable programs, are inherently unsafe. For this reason these MIME types are usually restricted in terms of what actions a web browser will take when given content of that type. An executable program should not be executed on the user's computer and at most should cause a dialog to appear asking the user if they wish to download the file.

MIME type guessing has led to security exploits in Internet Explorer which were based upon a malicious author incorrectly reporting a MIME type of a dangerous file as a safe type. This bypassed the normal download dialog resulting in Internet Explorer guessing that the content was an executable program and then running it on the user's computer.

How to determine the MIME type sent by a server

In Firefox, load the file and use Tools | Page Info. You can also use Rex Swain's HTTP Viewer or Live HTTP Headers to see the full headers and content of any file sent from a web server.

According to the standards, a meta tag that gives the MIME type such as <meta http-equiv="Content-Type" content="text/html"> should be ignored if there's a Content-Type line in the header. Instead of looking for this line in the HTML source, use the above techniques to determine the MIME type sent by the server.

How to determine the correct MIME type for your content

There are several steps which you can take to determine the correct MIME type value to be used for your content.

  1. If your content was created using a vendor's software application, read the vendor's documentation to see what MIME types should be reported for different media types.
  2. Look in the IANA | MIME Media Types registry which contains all registered MIME types.
  3. If the media type is displayed using a plug-in in Netscape Gecko, install the plug-in and then look in the Help->About Plug-ins Menu to see what MIME types are associated with the media type.
  4. Search for the file extension in FILExt or File extensions reference to see what MIME types are associated with that extension.

How to set up your server to send the correct MIME types

  • If you're using the Apache web server, simply copy this sample .htaccess file to the directory that contains the files that you want to send with the correct MIME types. If you have an entire subdirectory of files, just place the file in the parent directory; you need not place it in each subdirectory.
  • If you're using Microsoft IIS, see this article at Microsoft TechNet.
  • If you're using a server-side script to generate content, you can generally add one line near the top of your script. You can serve content other than HTML from Perl, PHP, ASP, or Java — just change the MIME type accordingly.
    • For Perl CGI, you should have the line print "Content-Type: text/html\n\n"; before any other output lines. If you're using the CGI module, you can use the line print $cgi->header('text/html'); instead, where $cgi is your reference to the CGI instance.
    • For PHP, you should have the line header('Content-Type: text/html'); before any other output lines.
    • For ASP, you should have the line response.ContentType = "text/html"; before any other output lines.
    • For a Java servlet, you should have the line response.setContentType("text/html"); at the top of your doGet or doPost method, where response is a reference to the HttpServletResponse.

Original Document Information

  • Author: Bob Clary
  • Last Updated Date: 20 Feb 2003

Attachments

File Size Date Attached by
incorrect-mime-screen.jpg
10077 bytes 2005-04-22 01:28:48 Dria
SVG_Stroke_Dasharray_Example.png
3314 bytes 2008-01-22 17:19:11 Wjjohnst

Document Tags and Contributors

Last updated by: Sheppy,