Since Firefox 72, the
X-Content-Type-Options HTTP response header has been applied to top-level documents, but to mitigate the compatibility risk, the
nosniff directive would be ignored when the
Content-Type header is empty or not provided.
This workaround has been removed with Firefox 75 as Mozilla’s Telemetry has proved there’s no real risk. Still, web developers may want to be aware of the change because the
nosniff enforcement causes HTML pages to be downloaded due to a misconfiguration of the server or application.