MIME Type vs. Actual Type

A while back I posted Internet Explorer Download Problem: “Unable to open this Internet Site” about how Internet Explorer doesn’t behave properly if the MIME type is set properly. Shortly after I upgraded Firefox and discovered that they had changed the behaviour for Firefox and things broke.

I was serving up an EXE with a ZIP MIME type, “application/zip”, however, Firefox began renaming the file with a “.zip” file extension.

I reported it as a bug in the Mozilla bug tracker, which it technically is, but they will not change the behaviour and cite it as a security feature.

Matthias Versen (Matti) 2011-03-20 09:14:48 PDT

I think this report is invalid. Changing the extension is a security feature.
You can either use the user agent sniffing or use a unused content type like

[reply] [-] Comment 5 Boris Zbarsky (:bz) 2011-03-20 19:13:49 PDT

Yep.  On Windows, if the filename has a “dangerous” extension, we make sure the
extension matches the type it was served with.  Anything else would be really
bad security-wise.

It’s not really worth debating whether or not it should be fixed. It’s their software and they get to decide what gets fixed and what the “proper” behaviour is.

But it is interesting to look at.

File contents are not determined by their file extension. File extensions are by convention, with no necessary connection to the file content. The new Microsoft Office formats, e.g. XSLX, DOCX, PPTX, etc., are all ZIP files with a different file extension. Inside the zip container are the actual files that contain the MS Office documents.

MIME types should be correct though. The IE problem is just kind of wonky, though I can see their security issue, just as the Mozilla have their security issue. They just solve it differently.


Written by:

276 Posts

View All Posts
Follow Me :

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.