X-Content-Type-Options:nosniff is now enforced even if Content-Type is not given

Published: | Categories: Networking, Privacy & Security

Description

Since Firefox 72, the X-Content-Type-Options HTTP response header has been applied to top-level documents, but to mitigate the compatibility risk, the nosniff directive would be ignored when the Content-Type header is empty or not provided.

This workaround has been removed with Firefox 75 as Mozilla’s Telemetry has proved there’s no real risk. Still, web developers may want to be aware of the change because the nosniff enforcement causes HTML pages to be downloaded due to a misconfiguration of the server or application.

References