Currently the Support for “X-Content-Type-Options: nosniff“ is limited to
CSS and JS resources. In Firefox 70 I intend to enable nosniff support for
page navigations by default.

If a server's response does not include any mime-type but sets the response
header "XCTO: nosniff" then Firefox will prompt the user to download the
file instead of trying to sniff the mime-type, eliminating the attack
vector of so called mime-confusion attacks.

Supporting XCTO: nosniff not only for JS and CSS but also for top-level
navigations will create parity with other browsers (Chrome, Safari) who are
already supporting XCTO: nosniff for navigations.


Link to standard:

Platform coverage: This will be exposed to all platforms.

Estimated or target release: Firefox 70

Is this feature enabled by default in sandboxed iframes? N/A

DevTools bug:

Do other browser engines implement this? Yes
Secure contexts: This feature isn’t restricted to Secure Contexts.

Bug implementing and enabling this feature:

dev-platform mailing list

Reply via email to