Preamble
So IE does Mime-Type sniffing. That part's old news.
Suggestions of how to combat it tend to be along the lines of 'supply a content-type IE trusts' (i.e. anything that isn't text/plain or application/octet-stream) or 'add extraneous data at the start of the file that is definitely of the type you're serving'.
Now, I'm working on an application that has to allow message attachments (like in e-mails), occasionally to be displayed inline (again like in e-mails), and we want to close up XSS vectors. IE's mime sniffing (in unpatched IE6-, which I must support, e.g. IE6/Win2000) is one of those vectors - a text/plain
file with html content will trigger as html. Recoding isn't an option at this point, changing the attachments the user has provided can only happen if there is absolutely no doubt about the maliciousness of the file - and someone might want to send HTML as text.
Now, Microsoft's MSDN article implies the situation might be easier to fix than advertised:
If Internet Explorer knows the Content-Type specified and there is no Content-Disposition data, Internet Explorer performs a "MIME sniff," [...]
Great!
Except I don't have IE nor current means to reliably install it (I realise this is a fairly sad state for a webdeveloper to be in, I hope to fix this soon) and this is grey theory that I can't quite seem to get confirmed one way or the other. Local sources say that line is hogwash - IE will mime sniff anything that is Content-Disposition: inline / <default>
and not specific enough for its tastes in -Type.
But what about x-* ('extension-token' in the RFC)?
Trying to google for how browsers handle Content-Disposition: <extension-token>
hasn't yielded anything (though I may just be doing it wrong, my understanding of Google is seriously slipping lately). I found one question that looked promising, but turned out to be a misunderstanding on side of the thread author, meaning that the train of thought was never actually addressed there.
Question(s)
Does IE really Mime sniff if you expressly pass Content-Disposition: inline?
If so: Does anyone here know how browsers handle Content-Disposition: <extension-token>
?
If they do this in a way that is for my purposes benign, by presuming it to be synonymous with the default (effectively 'inline', though I hear it's not defined anywhere?), is it specific enough for IE not to Mime sniff? Or am I actually shooting myself in the foot by thinking of pursuing this avenue?