I’m not a browser security expert, so I’m not weighing in on the topic as such. However, I am a web developer/designer/guy with a slash in his title, so I certainly feel free to hurl my opinion at the topic regardless.

Today’s comic is in reference to Internet Explorer’s dirty little habit of MIME-sniffing, a process by where under certain circumstances the browser politely thanks a file for trying to tell it what it’s Content Type is, then proceeds to beat it about the head until the file cries uncle and sobbingly agrees to be something else.

(I’m aware that all browsers to an extent have to do some sniffing around in certain circumstances. But rather than chastely sniffing a guest’s shoes, IE is the dog that has stuck it’s head up someone’s skirt, only to frequently come to the wrong conclusion as to what it found).

This is bound to be useful in some cases, I’m sure, such as backwards compatibility with old servers that serve all html pages as plain/text. However, historically there’s been an number of reasons to not do it, such as pictures with bad script hiding in them that IE goes ahead and runs, and the fact that it goes against specifications implementation. While we’re at it, it continues to subdivide the Internet into two different groups, those users that see a page as it should be (with a standards-compliant browser), and those that don’t (with IE).

The good news is that according to this post at the IEBlog, they’re fixing a lot of this with IE8. The bad news is, they’re not going as far as they should, for example: “…if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, IE determines that the content should be rendered as HTML.” All in the name of ‘compatibility’. The only way for a page to be rendered as plain/text in IE8 when it has an HTML tag in the file is for the server to include authoritative=true attribute to the Content-Type header.

So… wait, we’ve got to opt in for plain text files to render properly in IE8? That sounds familiar, a lot like IE8′s original plan to force developers to opt-in to rendering their sites correctly in IE8 with a new meta tag. If you didn’t include this little tag, your page would render in all future browsers as it would in IE7. Long story short, that created such a storm from developers that the IE8 team stepped back and changed their minds.

I don’t think that rendering plain/text files as HTML if they’ve got markup in them is an equally volatile subject, but it seems that this new, IE-specific attribute is another step away from standards, rather than toward standards. I think Microsoft is slowly wandering out of the dark and into the sunlight that is a standards-compliant Internet, but I get the feeling that the company will have to keep being poked with sticks to keep it moving in the right direction.