9

Except for the html document, currently all the files (css, javascript and images) served from my web server do not specify the content-type in the http response header. I happen to notice this as I intend to remove the type attribute in both my script tag and link tag, but came across this answer which says the following:

The MIME type is also sent via the HTTP Content-Type header, so using type="text/css" would only be extra bytes.

Improve this question
5
  • 2
    I believe you need to specify Content-Type for scripts to execute in IE. This is to prevent malicious users uploading scripts to image sharing websites. Commented Dec 3, 2013 at 10:53
  • @Brendon, thanks for pointing out the security implication. Is there any other aspect worth noting, security-wise, assuming no user uploaded content? Commented Dec 3, 2013 at 11:07
  • 1
    Are you sure your server is not sending a Content-Type header for these files? If you are viewing the response from files served from your browser cache then you probably won't see a Content-Type header. Commented Dec 3, 2013 at 11:59
  • Most servers will send the correct mime types by default, so unless you explicitly set your server to not send it, I'm betting the files are being sent with the correct mime type. Commented Dec 3, 2013 at 17:58
  • 1
    @w3d, thanks for your comment. I realize after rechecking that what I am reading off is actually from the request header of a 304 not modified file. Not exactly the cache, but the content-type is dropped from the header. Disabling the cache, everything appears normal again. Commented Dec 4, 2013 at 1:39

1 Answer 1

Reset to default
7

Yes. By the HTTP protocol, clause 7.2.1:

“Any HTTP/1.1 message containing an entity-body SHOULD include a Content-Type header field defining the media type of that body. If and only if the media type is not given by a Content-Type field, the recipient MAY attempt to guess the media type via inspection of its content and/or the name extension(s) of the URI used to identify the resource.”

So yes, the response headers should contain Content-Type header for any response data (called “entity-body” in the protocol, often “file” in common language). If it is omitted, the browser is allowed to make its own wild guesses on the type of data it got. In many contexts, the risk of wrong guesses is negligible, but this is not a good excuse for violating the protocol.

Attributes like type=text/css and type=text/javascript have not been necessary, except by some formal specifications, or even useful. Thet do not make servers send Content-Type headers (even though this may have been the original idea).

If a server incorrectly sends e.g. CSS data without Content-Type, browsers used to treat the data as CSS if <link rel=stylesheet ...> was the element that caused the request. This seems to have changed. Browsers tend to ignore the style sheet unless the HTTP header specifies Content-Type: text/css (which is usually, but not necessarily, a browser default for .css files).

Improve this answer
1
  • "Even if a server incorrectly sends e.g. CSS data without Content-Type, browsers will treat the data as CSS if <link rel=stylesheet ...> was the element that caused the request." This does not appear to be correct, at least in Chrome! In Chrome, I tried <link rel="stylesheet" href="/style.css" /> and my server returned Content-Type: text/plain. Chrome loaded the asset, but the styles weren't taking effect. Setting the Content-Type to text/css fixed the issue. Commented Jan 17 at 19:19

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.