Properly Configuring Server MIME Types

• Bob Clary, Netscape Communications

• Published 20 Feb 2003 (Feedback)

Background

By default, many web servers are configured to report a MIME type of text/plain for unknown content types. As new content types are invented or added to web servers, web administrators may fail to add the new MIME types to their web server's configuration. This results in the new content being reported as having MIME type text/plain. This is a major source of problems for users of Netscape Gecko-based browsers such as Netscape 6.x, Netscape 7.x, CompuServe 7, AOL for Mac OS X as well as Mozilla, which respect the MIME types as reported by web servers and web applications.

What are MIME types?

MIME types describe the media type of content either in email or served by web servers or web applications and are intended to help guide a web browser in how the content is to be processed and displayed. Examples of MIME types are text/html for normal web pages, application/x-java-applet for Java™ applets and application/pdf for Adobe^® PDF documents.

Web browsers announce to web servers which media types they are capable of processing (as well as preferences for specific types) while web servers respond to web browsers with the requested media and the media (or MIME) type of the content which was returned. This negotiation between web browsers and web servers over the type of content to be served is critical to the architecture of the web. In fact, the HTTP specification requires that a web browser respect the MIME type reported by a web server.

Technical Background

MIME is currently defined in RFCs 2045, 2046, 2047, 2048, and 2049 and registered values for MIME types are available in IANA | MIME Media Types. The HTTP specification defines a superset of MIME which is used to describe the media types used on the web.

Why are correct MIME types important?

If the web server or application reports an incorrect MIME type for content, a web browser has no way, according to the HTTP specification, of knowing that the author actually intended the content to be processed and displayed in a way different from that implied by the reported MIME type.

Some other web browsers, such as Microsoft^® Internet Explorer, try to allow for misconfigured web servers and applications by guessing what the correct MIME type should be. This has sheltered many web administrators from their own errors, since Internet Explorer will continue to process content as expected even though the web server is misconfigured, e.g. displays an image which is reported to be plain text.

Why browsers should not guess MIME types

Apart from violating the HTTP specification, it is a bad strategy for browsers to guess MIME types for the following reasons:

1. Loss of control

   If the browser ignores the reported MIME type, web administrators and authors no longer have control over how their content is to be processed.

   For example, a web site oriented for web developers might wish to send certain example HTML documents as either text/html or text/plain in order to have the documents either processed and displayed as HTML or as source code. If the browser guesses the MIME type, this option is no longer available to the author.

2. Security

   Some content types, such as executable programs, are inherently unsafe. For this reason these MIME types are usually restricted in terms of what actions a web browser will take when given content of that type. An executable program should not be executed on the user's computer and at most should cause a dialog to appear asking the user if they wish to download the file.

   MIME type guessing has led to security exploits in Internet Explorer which were based upon a malicious author incorrectly reporting a MIME type of a dangerous file as a safe type. This bypassed the normal download dialog resulting in Internet Explorer guessing that the content was an executable program and then running it on the user's computer.

How to determine the correct MIME type for your content

There are several steps which you can take to determine the correct MIME type value to be used for your content.

1. If your content was created using a vendor's software application, read the vendor's documentation to see what MIME types should be reported for different media types.

2. Look in the IANA | MIME Media Types registry which contains all registered MIME types.

3. If the media type is displayed using a plug-in in Netscape Gecko, install the plug-in and then look in the Help->About Plug-ins Menu to see what MIME types are associated with the media type.

• Archive
• ViewSource
• Tech Central
  • Strategy
  • CSS
  • DOM
  • Gecko
  • HTML
  • JavaScript
  • Plugins
  • Security
  • XML
• Library
  • Manuals
  • Cross References
  • Releases
• Toolbox
  • Sidebar Tabs
  • Examples
  • Development Tools
  • Validation Tools
• Downloads
  • Netscape 7
  • AOL for Mac OSX
  • CompuServe 7
  • Latest Mozilla Releases
  • Mozilla Nightly builds (FTP)
• Community
  • Newsletter
  • RSS Feeds
  • Newsgroups
  • Feedback
• Help
  • Solution Finder
  • Site Map
  • About DevEdge
  • Feedback
• International
  • Français
  • 
  • Português

• Customize
  • Gecko Blue
  • Painted Desert
  • DevEdge Classic
  • Fogged In