Reducing MIME type security risks
The script and styleSheet elements will reject responses with incorrect MIME types if the server sends the response header "X-Content-Type-Options: nosniff". This is a security feature that helps prevent attacks based on MIME-type confusion.
This change impacts the browser's behavior when the server sends the "X-Content-Type-Options: nosniff" header on its responses.
If the "nosniff" directive is received on a response received by a styleSheet reference, Windows Internet Explorer will not load the "stylesheet" file unless the MIME type matches "text/css".
If the "nosniff" directive is received on a response retrieved by a script reference, Internet Explorer will not load the "script" file unless the MIME type matches one of the following values:
- "application/ecmascript"
- "application/javascript"
- "application/x-javascript"
- "text/ecmascript"
- "text/javascript"
- "text/jscript"
- "text/x-javascript"
- "text/vbs"
- "text/vbscript"
When such content is blocked, the F12 developer tools show the following message:
SEC7112: Script from http://www.debugtheweb.com/test/mime/textplainnosniff.asp was blocked due to mime type mismatch script.asp
Ensure that in any response received with the "nosniff" directive has a MIME type that matches one of the values listed previously.
If you find any sites that are sending improper MIME types and behave incorrectly in Internet Explorer, please file a bug on Connect.