> I disagree. Much of the Web actually relies on this today, and for the > most part it works. For example, when you do: > > <img src="foo" ...> > > ...the Content-Type is ignored except for SVG.
Well, <img> is actually a fairly special case of content that is difficult for attackers to spoof and that can't be easily read back across domains without additional CORS headers. But I believe that in Chrome and in Firefox, C-T checks or other mitigations have been recently added at least <script>, <link rel=stylesheet>, and <object> / <embed>, all of which lead to interesting security problems when they are used to load other types of documents across origins. Similar changes are being made also for a couple of other cases, such as <a download>. /mz