Content Types in browsers, can we use the Mime??

I am wondering which mime types are dangerous in browsers to be set as the Content Type, if any??

I am noticing that many forum software, when uploading files, use the application/octet-stream for any files other than images and place that into the Content Type of the header when outputting it. I am wondering why don't they place the actual mime-type instead into the Content Type? Are there security risks involved with this? So far I have used text/css, text/plain, audio/mpeg, and many others and haven't noticed any difference between application/octet-stream and these others.

Does anyone out there know the exact difference, and what makes application/octet-stream any better, or any worse...to use for the Content Type??

Or perhaps there are browser limitations?

I'm talking about getting the Content Type when uploading a file, using $_FILES['myFile']['type'], storing that information into the database, and than using that Content Type in the header for that file when being called upon. Is there any security risk involved with this? and/or Browser limitations?

Updated

If a user uploads a file in IE, and I am using the $_FILES ['type'] variable to store the mime-type into the database, and than another user accesses the file and I get the mime type from the database for the file that was uploaded with the IE mime type and that user is using Firefox to access the file, would that cause any problems?? Or vice versa, and wondering if this would be a problem for any browsers for that matter.

Thank You :)

Hello, can you give me an example of a mime type that would try to be rendered by the browser, other than an image mime type? Also, if the user uploads the file in, say Internet Explorer, and than another user trys to access the file in, say Firefox, would this cause problems for the mime type? I believe Firefox and IE read certain file types differently as different mime types. But my question is would this cause problems in this situation or vice versa?

SoLoGHoST 2010-05-15 15:19:14

Furthermore, are you saying that if the browser doesn't recognize the mime type it will automatically give it a download dialog? Is that the case for all browsers? If that's the case, than why do they bother using `application/octet-stream`? Thanks again.

SoLoGHoST 2010-05-15 15:36:47

It doesn't really matter how you upload the file, as the mime type itself is not transferred, but most times (if not ignored at all) guessed from the file extension (the server can do that). Simple mime types that get rendered in browser are nearly all text mime types for examples, or pdfs when you have a reader plugin installed. In any way it is dependent on the browser, the available plugins and the settings (e.g. you can set the available applications for mime types in Firefox). In any case, if you know the mime type for sure, and you don't want to force people to download the file, [...]

poke 2010-05-16 22:56:50

[...] just offer the correct type. There is a reason that browsers or plugins add support for them, and there is a reason why people might set their settings to do a different action. In that way it should really be up to the user what happens. Otherwise you are correct, the browser will offer a download dialog if the mime type is unknown; except for `application/octet-stream`. That mime type is standardized and has the download action as the recommend action when a client tries to open it (see http://tools.ietf.org/html/rfc2046#page-13). So use only this, when you want exactly this action.

poke 2010-05-16 22:57:41

There are, however, better ways for forcing a download. `Content-Disposition`, for one.

TRiG 2010-06-11 17:53:31

ansaurus

tags:

views:

answers:

Content Types in browsers, can we use the Mime??

related questions