Html Mime Types

MIME types describe the media type of content, either in email, or served by web servers or web applications. They are intended to help provide a hint as to how the content should be processed and displayed.

  1. Encapsulates the notion of a MIME type. Can be used at render time, for example, with: class PostsController.
  2. Supported MIME types. By default, Experience Manager detects the file type using the file extension. Experience Manager can detect it from the contents of the files. For latter, select Detect MIME from content option in Day CQ DAM Mime Type Service in the Experience Manager Web Console.
  3. MIME media types indicate the following things − How different parts of a message, such as text and attachments, are combined into the message. The way in which each part of the message is specified. The way different items are encoded for transmission so that even software that was designed to work only with ASCII text can process the message.

Important MIME types for Web developers. This is the default for binary files. As it means unknown binary file, browsers usually don't execute it, or even ask if it.

Examples of MIME types:

  • text/html for HTML documents.
  • text/plain for plain text.
  • text/css for Cascading Style Sheets.
  • text/javascript for JavaScript files.
  • text/markdown for Markdown files.
  • application/octet-stream for binary files where user action is expected.

Server default configurations vary wildly and set different default MIME-type values for files with no defined content type.

Versions of the Apache Web Server before before 2.2.7 were configured to report a MIME type of text/plain or application/octet-stream for unknown content types. Modern versions of Apache report none for files with unknown content types.

Nginx will report text/plain if you don't define a default content type.

As new content types are invented or added to web servers, web administrators may fail to add the new MIME types to their web server's configuration. This is a major source of problems for users of browsers that respect the MIME types reported by web servers and applications.

Why are correct MIME types important?

If a web server or application reports an incorrect MIME type for content (including a 'default type' for unknown content), a web browser has no way of knowing the author's intentions. This may cause unexpected behavior.

Some web browsers, such as Internet Explorer, try to guess the correct MIME type. This allows misconfigured web servers and applications to continue working for those browsers (but not other browsers that correctly implement the standard). Apart from violating the HTTP spec, this is a bad idea for a couple of other significant reasons:

What is a mime type
Loss of control
If the browser ignores the reported MIME type, web administrators and authors no longer have control over how their content is to be processed.
For example, a web site oriented for web developers might wish to send certain example HTML documents as either text/html or text/plain in order to have the documents either processed and displayed as HTML or as source code. If the browser guesses the MIME type, this option is no longer available to the author.
Security
Some content types, such as executable programs, are inherently unsafe. For this reason, these MIME types are usually restricted in terms of what actions a web browser will take when given that type of content. An executable program should not be executed on the user's computer and should at least cause a dialog to appear asking the user if they wish to download the file.
MIME type guessing has led to security exploits in Internet Explorer that were based upon a malicious author incorrectly reporting a MIME type of a dangerous file as a safe type. This bypassed the normal download dialog, resulting in Internet Explorer guessing that the content was an executable program and then running it on the user's computer.
Types

JavaScript legacy MIME types

When looking for information about JavaScript MIME types, you may see several MIME types that reference JavaScript. Some of these MIME types include:

  • application/javascript
  • application/ecmascript
  • application/x-ecmascript
  • application/x-javascript
  • text/ecmascript
  • text/javascript1.0
  • text/javascript1.1
  • text/javascript1.2
  • text/javascript1.3
  • text/javascript1.4
  • text/javascript1.5
  • text/x-ecmascript
  • text/x-javascript

While browsers may support any, some, or all of these alternative MIME types, you should only use text/javascript to indicate the MIME type of JavaScript files.

Note: See MIME types (IANA media types) for more information.

How to determine the MIME type to set

There are several ways to determine the correct MIME type value to be used to serve your content.

  • If your content was created using commerical software, read the vendor's documentation to see what MIME types should be reported for the application.
  • Look in IANA's MIME Media Types registry, which contains information on all registered MIME types.
  • Search for the file extension in FILExt or the File extensions reference to see what MIME types are associated with that extension. Pay close attention as the application may have multiple MIME types that differ by only one letter.

How to check the MIME type of received content

  • In Firefox
    • Load the file and go to Tools > Page Info to get the content type for the page you accessed.
    • You can also go to Tools > Web Developer > Network and reload the page. The request tab gives you a list of all the resources the page loaded. Clicking on any resource will list all the information available, including the page's Content-Typeheader.
  • In Chrome
    • Load the file and go to View > Developer > Developer Tools and choose the Network tab. Reload the page and select the resource you want to inspect. Under headers look for Content-Type and it will report the content type of the resource.
  • Look for a <meta> element in the page source that gives the MIME type, for example <meta http-equiv='Content-Type'>.
    • According to the standards, the <meta> element that specifies the MIME type should be ignored if there's a Content-Type header available.

IANA keeps a list of registered MIME Media Types. The HTTP specification defines a superset of MIME types, which is used to describe the media types used on the web.

How to set up your server to send the correct MIME types

The goal is to configure your server to send the correct Content-Type header for each document.

Mime Types List

  • If you're using the Apache web server, check the Media Types and Character Encodings section of Apache Configuration: .htaccess for examples of different document types and their corresponding MIME types.
  • If you're using NGINX, look at the NGINX configuration snippets. NGINX does not have a .htaccess equivalent tool, so all changes will go into the main configuration file.
  • If you're using a server-side script or framework to generate content, the way to indicate the content type will depend on the tool you're using. Check the framework or library's documentation.

Related Links

MIME (Multipurpose Internet Mail Extensions) is used on the internet to determine a file’s type. It is similar to file extensions in operating systems.

Web Servers and browsers have a list of MIME types so they can identify files and take appropriate action. For example, if a file is a PDF, a browser may launch a relevant program so that you can see the content of this PDF file.

Clients and servers use MIME type information to negotiate content. Clients send MIME type information of request through Content-type Header in HTTP Request and state which kind of output they want to consume by using MIME types in the accept header.

MIME contains two parts: type and subtype. A slash (/) is used between type and subtype, such as image/jpeg. You can’t always see an extension in URLs because modern web applications use SEO (Search Engine Optimization) friendly URLs. It isn’t always possible to deduce which type of file is served by looking at the URL. SEO-friendly URLs or API endpoints, for example, usually don't have extensions.

Cybercriminals can still use the MIME feature to attack web applications. If a web application allows users to upload data to the server, attackers can disguise a malicious file under a harmless file type. When a web browser renders this file, it can allow the attacker to carry out a cross-site scripting attack.

Names

Netsparker detects all files with the MIME type during scanning. This information is very useful in case further manual testing is required. It also helps security professionals spot any unusual files or types served by the server, which could indicate a successful hack.

In addition to MIME-types listed in Knowledge Base, Netsparker also reports the URLs that lack a MIME type. These URLs can cause MIME type sniffing threats if content is misinterpreted by browsers. Netsparker reports Missing Content-Type Header issues for such cases.

Once the scan is completed, all MIME types are listed under the MIME Types node in the Knowledge Base. You can access the same information in theKnowledge Base Report andKnowledge Base Tab.

Netsparker forms Knowledge Base nodes on its findings. If the MIME Types node is not listed, it means that Netsparker did not find any.

For further information, see Knowledge Base Nodes.

How to View the MIME Types Node in Netsparker Enterprise
  1. Log in to Netsparker Enterprise.
  2. From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
  3. Next to the relevant website, click Report.
  4. From the Technical Report section, click the Knowledge Base tab.
  5. Click the MIME Types node. The information is displayed in a MIME Types tab.
How to View the MIME Types Node in Netsparker Standard
  1. Open Netsparker Standard.
  2. Start a Scan or Import a previously saved scan.
  3. The Knowledge Base is displayed on the right of theScan Summary Dashboard. (If it is hidden, display it again using the Knowledge Base icon on the View tab on the ribbon. Alternatively, click the Reset Layout icon on the View tab, then close the Activity/Progress/Logs panes to give maximum viewing space.)

Html Mime Type Header

  1. Ensure that the Knowledge Base Viewer is also displayed. (If it is hidden, you can display it again using the Knowledge Base Viewer button on the View tab. You may also want to close the Activity/Progress/Logs panes.)
  2. Click the MIME Types node in the Knowledge Base. All detected MIME Types are displayed in the Knowledge Base Viewer.