1

Writing this question to help others who get this issue as I did not find an obvious or clear answer when I needed one.

Symptoms:

  • You have a legacy website / app
  • You implement 'X-Content-Type: nosniff' http header on the web server as good practice
  • IE11 now shows some images ok but others appear as black-box with white-cross

What the heck ?

Note that in my case this was an issue with Win2016 and IIS, but it is a generic issue for any web server that sends the X-content-type http header.

Vanquished Wombat
  • 9,075
  • 5
  • 28
  • 67

1 Answers1

1

This is about mime-sniffing. By setting the 'X-Content-Type: nosniff' http header on the web server you are telling browser clients to pay attention to image mime types because you will only intend to send correct mime details.

The mime type depends on the content-type header that comes down from the server when images are requested. You can see this with Fiddler and similar tracing tools.

In our case, there was a legacy image server program on the server that was used to add an additional layer of app-based security around file access. Basically a DIY prog written in VB6 but it could have been anything. Even our C# replacement in late-stage dev had the same issue.

This was sending the content-type as 'application/octet-stream', which is definitely nothing like 'image/jpg' or 'image/png' etc.

The combination of the server sending the X-content-type header and the image server sending its incorrect content type for the image data caused IE11 to decide that the image was not usable, and hence the black-box & white cross issue.

Solution:

  • temp solution was to remove the X-content-type: nosniff from the web server config
  • longer term solution was to modify the file server dll to send the appropriate content-type header for the file type being served. And re-instate 'X-content-type: nosniff' on web server!
Vanquished Wombat
  • 9,075
  • 5
  • 28
  • 67
  • Interesting... And did you see this issue only on IE11, or also on v10 and v9 (and what about Edge) ? And did you get information about the `X-Content-Type: nosniff` usage in other browsers ? Is it Microsoft who created a security check out of any standard, or a W3C requirement that is not completely followed by ohters (Google, Mozilla, etc.) ? – Antwane Nov 30 '18 at 11:08
  • IE11 was what we were notified about. I have not tested beyond IE11. It is my assumption that IE9, 10 etc will possibly behave in the same way because it is the same vendor and product line. For EdgeI make no assumptions as it seems to be a different dev team. Whilst researching I read the IE does not respect many http headers so you should suspect it in any situation where you apply server headers like CSP. – Vanquished Wombat Nov 30 '18 at 11:47
  • According to [this SO post](https://stackoverflow.com/a/18337753/1887976), this header is correctly handled by all major browsers. – Antwane Nov 30 '18 at 12:57