Home Library Learn Samples Downloads Support Community Forums
MSDN Library
Web Development
Internet Explorer
What's New in Internet Explorer
Internet Explorer 9 Compatibility Cookbook
Features Changed in Internet Explorer 9
Angle Brackets Are Not Allowed in the createElement Method
Automatic Binding of Binary Element Behaviors Does Not Work
Calling a Method with a Function Pointer without ".call" or ".bind"
Content Attributes and DOM Expandos Are No Longer Connected
Default User-Agent (UA) String Changed
Dynamic VML Patterns May Not Work
Global Object’s Properties Cleared When Window Is Orphaned
IE9 Standards Mode Does Not Support the arguments.caller Property
Indirect 'eval' Function Calls Behave Differently in Internet Explorer 9
Internet Explorer 9 Compatibility with Popular JavaScript Frameworks
Internet Explorer 9 Handles Array Elements with a Large Index Differently
JavaScript Property Enumeration Differs in Internet Explorer 9
JavaScript Protocols That Return Null
Math Precision Differs in Windows Internet Explorer 9
MIME-Handling Change: text/css
MIME-Handling Change: text/plain
MIME-Handling Change: X-Content-Type-Options: nosniff
Mixing Native XML and MSXML Objects
OBJECT Fallback Is Included in DOM and Matched by window["name"]
Overlapping Elements Are Cloned
Some Behavior-Connecting Methods Do Not Work in XML
styleSheet.title Is readonly in IE9 Mode
Table Object Model Is Now More Consistent with Other Browsers
Text Layout Uses Natural Metrics
Thai and East Asian Text and Font Sizing
White Spaces Are Preserved in the Document Object Model
XSLT Compatibility
Expand Minimize
3 out of 4 rated this helpful - Rate this topic

MIME-Handling Change: X-Content-Type-Options: nosniff

The script and styleSheet elements will reject responses with incorrect MIME types if the server sends the response header "X-Content-Type-Options: nosniff". This is a security feature that helps prevent attacks based on MIME-type confusion.

This change impacts the browser's behavior when the server sends the "X-Content-Type-Options: nosniff" header on its responses.

Symptom

If the "nosniff" directive is received on a response received by a styleSheet reference, Windows Internet Explorer will not load the "stylesheet" file unless the MIME type matches "text/css".

If the "nosniff" directive is received on a response retrieved by a script reference, Internet Explorer will not load the "script" file unless the MIME type matches one of the following values:

  • "application/ecmascript"
  • "application/javascript"
  • "application/x-javascript"
  • "text/ecmascript"
  • "text/javascript"
  • "text/jscript"
  • "text/x-javascript"
  • "text/vbs"
  • "text/vbscript"

When such content is blocked, the F12 developer tools show the following message:

Copy 
SEC7112: Script from http://www.debugtheweb.com/test/mime/textplainnosniff.asp was blocked due to mime type mismatch script.asp

Resolution

Ensure that in any response received with the "nosniff" directive has a MIME type that matches one of the values listed previously.

If you find any sites that are sending improper MIME types and behave incorrectly in Internet Explorer, please file a bug on Connect.

Related Topics

 

 

Build date: 9/28/2012

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.
|
Site Feedback
© 2013 Microsoft. All rights reserved.