Internet Explorer and Custom HTTP Headers


Someone recently asked me for a list of custom HTTP request and response headers introduced by the IE team over the years.  Here’s the list I’ve come up with so far (including a few that were introduced before I joined the team):


Request Headers


 


UA-CPU


Allows a website to determine what CPU a client is using (“x86” or “AMD64” or “IA64”). IE7 clients emit this header unconditionally on 64bit machines; in IE6 & 8, the header is only sent when using the 64bit browser.


 


Response Headers


 


X-Meta-MSSmartTagsPreventParsing


Introduced in IE6 Betas for a “SmartTags” feature which never shipped in the final version. This meta tag has no effect on any non-beta version of IE.


 


Incidentally, it looks like some sites might also be trying to use “X-Meta-MSThemeCompatible” and “X-Meta-imagetoolbar” to control IE features, although as far as I can tell, these directives were never respected as headers.


 


Proxy-Support


Introduced in IE5 (or 6?) to allow proxies to specify that they understand NTLM/Negotiate authentication schemes.  It has one legal value (“Session-Based-Authentication”).  If present, IE will permit the multi-step NTLM/Negotiate handshake to take place through a proxy server.  Otherwise, the 401 is treated as a fatal error and returned to the client.


 


X-UA-Compatible


Introduced in IE8 to allow sites to declare compatibility with a specific UA version.


http://blogs.msdn.com/ie/archive/2008/06/10/introducing-ie-emulateie7.aspx


Currently supported only in IE8. It looks like this one is quickly becoming common.


 


X-XSS-Protection


Introduced in IE8 to allow sites to opt-out of the XSS Filter.  Legal values “0” and “1”:


http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx


Currently supported only in IE8.


 


X-Content-Type-Options


Introduced in IE8 to opt-out of MIME sniffing. 


http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx


Currently only supported in IE8.  Broadly used on some major sites, including Google.


 


X-Download-Options


Introduced in IE8 to control visibility of the “Open” button on the file download dialog.


http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx


Partially obsoletes existing “DownloadOptions” META tag:


http://msdn.microsoft.com/en-us/library/ms533689(VS.85).aspx


Currently only supported in IE8.


 


X-Frame-Options


Introduced in IE8 to help mitigate ClickJacking (“UI-Redress”) attacks.


http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx


Supported in IE8 and Safari 4. It looks like this one is quickly becoming common.


If I’ve missed any, please let me know.  🙂


-Eric

Comments (0)

Skip to main content