This topic has not yet been rated - Rate this topic

MIME-Handling Change: X-Content-Type-Options: nosniff

Affected Internet Explorer Document Mode

All

Feature Impact

Severity: High

Probability of Impact: Low

Description

SCRIPT and STYLESHEET elements will reject responses with incorrect MIME types if the server sends the response header X-Content-Type-Options: nosniff. This is a security feature that helps prevent attacks based on MIME-type confusion.

Affected Areas

This change impacts the browser’s behavior when the server sends the X-Content-Type-Options: nosniff header on its responses.

If the nosniff directive is received on a response received by a STYLESHEET reference, Internet Explorer will not load the “stylesheet” file unless the MIME type matches text/css.

If the nosniff directive is received on a response retrieved by a SCRIPT reference, Internet Explorer will not load the “script” file unless the MIME type matches one of the following values:

application/ecmascript
application/javascript
application/x-javascript
text/ecmascript
text/javascript
text/jscript
text/x-javascript
text/vbs
text/vbscript

When such content is blocked, the F12 developer tools show the following message:

SEC7112: Script from http://www.debugtheweb.com/test/mime/textplainnosniff.asp was blocked due to mime type mismatch script.asp

Guidelines

Ensure that in any response received with the nosniff directive has a MIME type that matches one of the values listed above.