IE Pitfalls: Document “contype” Requests

Contributing Editor

This article describes slightly bizarre behavior which has been in Internet Explorer since version 4. You’ll encounter the issue if you use plugins or SVG images, e.g.


<object type="image/svg+xml" data="image.svg"></object>

When parsing this code, IE will make two GET requests:

  1. The first is a request for the content-type (image/svg+xml) so the browser can invoke the handler application inside the browser window. This request is identified with a “contype” user agent string.
  2. The second is a request for the document itself (which must also return the correct content-type).

(If you still worry about IE 4.x and 5.0.x, they make an additional initial request to get the content-type and perform a registry look-up to determine which application is required.)

No other browsers implement this process but it occurs in every version of Internet Explorer including IE9.

Unfortunately, it can lead to problems…

Large documents
If you are returning a large document, such as a PDF, the initial content-type request will timeout if it takes longer than 10 seconds. Static files probably aren’t an issue since your server may automatically recognize the “contype” request and respond accordingly. However, if you’re generating a document, it increases the possibility of a timeout. At best, IE is doubling your server load and skewing your statistics.

User agent checking
This is the problem I encountered. Web applications often check the user agent string for security purposes, i.e. if the user agent changes between subsequent requests, someone could be attempting to hijack the session — it’s invalidated and the user is logged out.

If you’re generating an SVG in a typical MVC application, IE makes the following requests for a resource containing that image:

  1. The HTML page. The server is passed the standard MSIE user agent string (the session is valid).
  2. The SVG content-type. The server is passed a user agent of “contype” which invalidates the session.
  3. The SVG document. The server is passed the standard MSIE user agent string but nothing is returned because the session is no longer available.

It’s a difficult issue to debug since an IE user will log out every time they encounter a page with an SVG image.

The contype Solution

The best way to prevent issues is to detect the “contype” user agent, return the appropriate content-type and cancel further rendering. For example, in PHP:


if($_SERVER['HTTP_USER_AGENT'] == 'contype') {
	header('Content-Type: image/svg+xml');
	die();
}

Ugghh. No other vendor finds it necessary to make initial content-type requests, so let’s hope Microsoft rip this “feature” from IE10.

For more information, refer to PRB: Three GET Requests Are Sent When You Retrieve Plug-in Served Content.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Les

    Let’s hope Microsoft just rip IE altogether and just forget about being a browser vendor… in fact, why don’t they just forget about being a software vendor period?

    Wouldn’t that be something, such a huge relief it would be to the whole world.

  • http://www.xoogu.com/ Dave

    Thanks for sharing this, I wasn’t aware of this behaviour (though I don’t currently use SVGs anyway).

    Your PHP solution would only be suitable for dynamically generated svg files. I did a quick test with a static svg file embedded in a page on my local web server, and it seems Nginx is wise to the contype ua. Nginx will respond to the contype request with just the headers. Then on the second request that is sent with the true ua, it will respond with the headers and content.

    I don’t know how apache deals with contype and static files, but nice to know nginx deals with it automatically.

  • Jon

    I’m worried by this statement:

    (If you still worry about IE 4.x and 5.0.x, they make an additional initial request to get the content-type and perform a registry look-up to determine which application is required.)

    … if only for the sanity of the developers who have such backward thinking employers …