Ie starts MIME sniffing from SP2. In the past, the browser used Content-Type to determine the type of content of the resoponse stream, and then called an unused handler for processing. For example, text/html indicates that the HTML code is accepted, HTML page rendering is required. Text/JPEG indicates the image files that are accepted. You need to call the processing program for processing JPEG streams through the received data streams.
On this basis, ie adds the MIME sniffing function, not only based on content-type, but also based on the content of the response stream. The value of Content-Type is text/plain. In non-ie browsers, text/plain indicates normal text, and the browser only needs to display the content. However, in IE, if the content of response is similar to the following:
- <HTML>
- <SCRIPT>
- Alert (/XSS /);
- </SCRIPT>
- </Html>
After executing the MIME sniffing, ie determines that the content is of the text/html type, and then executes the HTML Rendering logic. The/XSS dialog box is displayed in the browser.
According to this feature of IE, in web programs, the returned response must have the correct Content-Type value to avoid ie being "smart ".
The problem is: If we do need to provide users with a normal file for download, the content of this file contains HTML characters in the above format, in this case, the value of Content-Type needs to be set to text/plain (because this file is indeed plain). What should I do?
Solution: Use content-disposition.
Content-Disposition format:
"Content-disposition", "attachment; filename = fname. Ext"
Write the file name (such as foo.txt) after filename.txt. In this case, the browser will pop up a dialog box prompting you whether to save the file.