Currently the Support for “X-Content-Type-Options: nosniff“ is limited to CSS and JS resources. In Firefox 70 I intend to enable nosniff support for page navigations by default.
If a server's response does not include any mime-type but sets the response header "XCTO: nosniff" then Firefox will prompt the user to download the file instead of trying to sniff the mime-type, eliminating the attack vector of so called mime-confusion attacks. Supporting XCTO: nosniff not only for JS and CSS but also for top-level navigations will create parity with other browsers (Chrome, Safari) who are already supporting XCTO: nosniff for navigations. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1428473 Link to standard: https://fetch.spec.whatwg.org/#x-content-type-options-header Platform coverage: This will be exposed to all platforms. Estimated or target release: Firefox 70 Is this feature enabled by default in sandboxed iframes? N/A DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1571415 Do other browser engines implement this? Yes Secure contexts: This feature isn’t restricted to Secure Contexts. Bug implementing and enabling this feature: - https://bugzilla.mozilla.org/show_bug.cgi?id=1469592 - https://bugzilla.mozilla.org/show_bug.cgi?id=1570658 _______________________________________________ dev-platform mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-platform