On Mon, August 7, 2006 9:53 am, Scott MacVicar wrote:
>  After we recently experienced an XSS through what can only be
>  described
>  as IE's shocking attempt at determining the mime type from the data
>  and
>  ignoring what the server sent

In case anybody finds this in a Google search, I have found that this
IE stupidity or ignoring headers can be worked-around at an
application level by:
A) Forcing the URL to end in the .xyz extension Windows is configured
to believe is the given type of document (eg .pdf for PDF)
B) Putting the content-type/charset in a META tag within an HTML
document [1]

[1] This one really only applies to charset -- apparently, Microsoft
believes web Designers are smarter than web Developers about
content-type... :-v

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php