Reducing MIME type security risks

The script and styleSheet elements will reject responses with incorrect MIME types if the server sends the response header "X-Content-Type-Options: nosniff". This is a security feature that helps prevent attacks based on MIME-type confusion.

This change impacts the browser's behavior when the server sends the "X-Content-Type-Options: nosniff" header on its responses.

If the "nosniff" directive is received on a response received by a styleSheet reference, Windows Internet Explorer will not load the "stylesheet" file unless the MIME type matches "text/css".

If the "nosniff" directive is received on a response retrieved by a script reference, Internet Explorer will not load the "script" file unless the MIME type matches one of the following values:

  • "application/ecmascript"
  • "application/javascript"
  • "application/x-javascript"
  • "text/ecmascript"
  • "text/javascript"
  • "text/jscript"
  • "text/x-javascript"
  • "text/vbs"
  • "text/vbscript"

When such content is blocked, the F12 developer tools show the following message:

SEC7112: Script from http://www.debugtheweb.com/test/mime/textplainnosniff.asp was blocked due to mime type mismatch script.asp

Ensure that in any response received with the "nosniff" directive has a MIME type that matches one of the values listed previously.

If you find any sites that are sending improper MIME types and behave incorrectly in Internet Explorer, please file a bug on Connect.