Breaking X-Content-Type-Options: nosniff now applies to top-level documents, causing some pages to be downloaded

Published:

Categories: Networking, Privacy & Security

Releases: Firefox 72, Firefox 78 ESR

Description

The X-Content-Type-Options HTTP response header has been supported since Firefox 50, and the nosniff directive can be used to effectively block scripts and stylesheets served with a wrong MIME type.

Starting with Firefox 71, it will be applied to top-level documents as well, aiming at further improving the browser security. It means HTML web pages served with a MIME type other than text/html will be downloaded instead of being rendered when the X-Content-Type-Options header is utilized.

There are a couple of sites known to be affected by this change, including Microsoft Office 365, so make sure to double check your site.

Update: The change has been backed out from Firefox 71. Mozilla developers are planning to redo this in Firefox 72 with some tweaks.

Update 2: The change has been landed again to Firefox 72. To mitigate the compatibility risk, the MIME type sniffing will be enabled when X-Content-Type-Options is set but no Content-Type is provided.

Update 3: The empty Content-Type workaround has been removed with Firefox 75.

References