Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Reducing MIME type security risks

Reducing MIME type security risks

The script and styleSheet elements will reject responses with incorrect MIME types if the server sends the response header "X-Content-Type-Options: nosniff". This is a security feature that helps prevent attacks based on MIME-type confusion.

This change impacts the browser's behavior when the server sends the "X-Content-Type-Options: nosniff" header on its responses.

If the "nosniff" directive is received on a response received by a styleSheet reference, Windows Internet Explorer will not load the "stylesheet" file unless the MIME type matches "text/css".

If the "nosniff" directive is received on a response retrieved by a script reference, Internet Explorer will not load the "script" file unless the MIME type matches one of the following values:

  • "application/ecmascript"
  • "application/javascript"
  • "application/x-javascript"
  • "text/ecmascript"
  • "text/javascript"
  • "text/jscript"
  • "text/x-javascript"
  • "text/vbs"
  • "text/vbscript"

When such content is blocked, the F12 developer tools show the following message:

SEC7112: Script from http://www.debugtheweb.com/test/mime/textplainnosniff.asp was blocked due to mime type mismatch script.asp

Ensure that in any response received with the "nosniff" directive has a MIME type that matches one of the values listed previously.

If you find any sites that are sending improper MIME types and behave incorrectly in Internet Explorer, please file a bug on Connect.

Related Topics

 

 

Show:
© 2015 Microsoft