IE9 has trouble with CSS Content-Types

The Internet Explorer 9 has been released a few days ago. It's a great improvement over old versions, despite of one mayor breakage.

Usually, a web-browser requests a CSS URL with a variety of HTTP-headers. The "Accept" HTTP-Header instructs the remote server, which valid content-types it can handle. In the past, most web-browsers sent a "Accept: text/css; */*" header, which means they prefer "text/css", but would also interpret any other file types as CSS.

Now, the IE9 does no longer send */* as an accepted content-Type, thus it will now ONLY render stylesheets if they have the Content-Type "text/css". If that does not happen, IE9 complains with a "HTTP 406" error and refuses to parse/render the stylesheet.

That does not sound so bad yet, but many web-applications (including Serendipity) provide dynamic CSS stylesheets that hide behind a PHP file. Serendipity compiles this PHP through a file called "serendipity.css.php". If URL rewriting is enabled, to mask that PHP file, a RewriteRule is added that will accept "serendipity.css" and send it to the main serendipity index.php file, which in turn will include serendipity.css.php and deliver the appropriate output.

Now certain Apache setups use a module mod_negotiation that will detect "Hey- there's a file serendipity.css.php, but the browser requested serendipity.css. He surely must be mistaken, I better serve up this serendipity.css.php file instead". Sadly, it does so, BEFORE executung mod_rewrite that would "fix" this behaviour.

Finally - mod_negotiate would basically properly execute the PHP file and return valid CSS. But it does that by returning a Content-Type that matches the original negotiated request, which is "application/x-httpd-php". IE9 will receive this, and refuse to render the proper CSS, because it does not accept */*.

IMHO this is a very bad mixture of several components acting weird altogether. But the easiest place to fix this is inside IE9, to restore the "Accept" behaviour of all other major browsers, so that mod_negotiated sites will not break.

I have posted on a IE9 Team blog since it seems, Microsoft does not accept bug reports anywhere. If anybody knows of a proper place to get a hold of their team, please let us know.

FINALLY - WHAT YOU CAN DO IF THIS AFFECTS YOUR SERENDIPITY BLOG:

Edit your .htaccess file, and add the directive Options -Multiviews at the top of the file. As long as your server has the AllowOveride ability enabled for you (that's mostly the case, as soon as you are allowed to use mod_rewrite) you can remove the negotiation feature of Apache.

This change in the default .htaccess will also be part of upcoming Serendipity versions.

Clarification: This is not only IE9's fault, but rather a bad combination of multiple factors: One being that s9y has a .php file called the same way like a rewritten URL. One being that mod_negotiate does not pass a request through to mod_rewrite and fatally catches it before other means are not used up. And the last being that IE9 does not accept a fallback contenttype for CSS.

The reason why I think this should be considered a IE9 bug, is because the restrictive parsing stats against current plans to make the web as accessible as possible. XHTML actually failed in its restrictive, XML-based parsing (google mime-type application/x-html+xml) was stomped down in favor of a lax HTML5 parsing. Users should never be locked out of content, and that's why I think a fallback */* should not hurt. This allows for applications to overcome mod_negotiate and allows the browser to evaluate the final Content-Type, and not an intermediate negotiated one.

Trackbacks

Trackback specific URI for this entry

  • No Trackbacks

Comments

Display comments as (Linear | Threaded)

Matthias Mees on at :

Important note: On some web servers, i.e. German all-inkl.com, loading the blog in IE9 will also kick off the hoster's security system, in this (my) case resulting in a ban for your current IP. This effectively means you will no longer be able to access your own site(s) and email. You'll need to contact your hoster to "un-ban" said IP (or get a new IP). (No longer necessary with the .htaccess fix mentioned above applied.)

Matthias Mees on at :

Since somebody asked on Twitter: Apparently, not all all-inkl.com servers are affected. (Probably depends on the hosting plan/server you're on.)

Seraphyn on at :

Okay, we waited for the IE6 to pushing daisies a long time, because we do not want to reinventing the wheel for one old fashioned damn piece of code used by some users which hate security and do not use browsers like:
- Opera
- Chromium
- links2
- Firefox
- w3m
- etc
Now we got a new shiny tiny piece of code from Microsoft and wow, again, we're having problems.
I could write some more things about it, but everything is said across the internet and I'll get catch the sunstreams of this nice sunday...
Thanks for the informations Garvin, keep up the good work...

Greetings
Chris

Christian Wenz on at :

I think they still accept bug reports at http://connect.microsoft.com/ie/. If you do not want to open an account there I am happy to proxy your report.

Ottmar Freudenberger on at :

Are you sure, IE9 is *sending* the 406 error? ;-)
Anyway and as state elsewhere, see also http://blogs.msdn.com/b/ieinternals/archive/2011/03/27/http-406-not-acceptable-php-ie9-standards-mode-accepts-only-text_2f00_css-for-stylesheets.aspx for your reference - and an explanation of MS's point of view.

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed