Reverted X-Content-Type-Options: nosniff now applies to top-level documents, causing some pages to be downloaded

Published: | Categories: Networking, Privacy & Security

Description

The X-Content-Type-Options HTTP response header has been supported since Firefox 50, and the nosniff directive can be used to effectively block scripts and stylesheets served with a wrong MIME type.

Starting with Firefox 71, it will be applied to top-level documents as well, aiming at further improving the browser security. It means HTML web pages served with a MIME type other than text/html will be downloaded instead of being rendered when the X-Content-Type-Options header is utilized.

There are a couple of sites known to be affected by this change, including Microsoft Office 365, so make sure to double check your site.

Update: The change has been backed out from Firefox 71. Mozilla developers are planning to redo this in Firefox 72 with some tweaks.

References