Ask Learn
Preview
Please sign in to use this experience.
Sign inNote
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Someone recently asked me for a list of custom HTTP request and response headers introduced by the IE team over the years. Here's the list I've come up with so far (including a few that were introduced before I joined the team):
Request Headers
UA-CPU
Allows a website to determine what CPU a client is using ("x86" or "AMD64" or "IA64"). IE7 clients emit this header unconditionally on 64bit machines; in IE6 & 8, the header is only sent when using the 64bit browser.
Response Headers
X-Meta-MSSmartTagsPreventParsing
Introduced in IE6 Betas for a “SmartTags” feature which never shipped in the final version. This meta tag has no effect on any non-beta version of IE.
Incidentally, it looks like some sites might also be trying to use "X-Meta-MSThemeCompatible" and "X-Meta-imagetoolbar" to control IE features, although as far as I can tell, these directives were never respected as headers.
Proxy-Support
Introduced in IE5 (or 6?) to allow proxies to specify that they understand NTLM/Negotiate authentication schemes. It has one legal value ("Session-Based-Authentication"). If present, IE will permit the multi-step NTLM/Negotiate handshake to take place through a proxy server. Otherwise, the 401 is treated as a fatal error and returned to the client.
X-UA-Compatible
Introduced in IE8 to allow sites to declare compatibility with a specific UA version.
https://blogs.msdn.com/ie/archive/2008/06/10/introducing-ie-emulateie7.aspx
Currently supported only in IE8. It looks like this one is quickly becoming common.
X-XSS-Protection
Introduced in IE8 to allow sites to opt-out of the XSS Filter. Legal values "0" and "1":
https://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
Currently supported only in IE8.
X-Content-Type-Options
Introduced in IE8 to opt-out of MIME sniffing.
https://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
Currently only supported in IE8. Broadly used on some major sites, including Google.
X-Download-Options
Introduced in IE8 to control visibility of the "Open" button on the file download dialog.
https://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
Partially obsoletes existing "DownloadOptions" META tag:
https://msdn.microsoft.com/en-us/library/ms533689(VS.85).aspx
Currently only supported in IE8.
X-Frame-Options
Introduced in IE8 to help mitigate ClickJacking ("UI-Redress") attacks.
https://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
Supported in IE8 and Safari 4. It looks like this one is quickly becoming common.
If I've missed any, please let me know. :-)
-Eric