Only request destinations that are
script-like or "style" are considered as any exploits
pertain to them. Also, considering "image" was not compatible with deployed content.
+
+
The following examples illustrate how the algorithm works: + +
A request for a JavaScript file with destination
+ "script" to a response that has
+ `X-Content-Type-Options: nosniff` and
+ `Content-Type: application/javascript` will return allowed
+ (JavaScript MIME type matches script-like destination).
+
+
A request for a JavaScript file with destination
+ "script" to a response that has
+ `X-Content-Type-Options: nosniff` and
+ `Content-Type: text/html` will return blocked
+ (MIME type mismatch: HTML is not a JavaScript MIME type).
+
+
A request for a JavaScript file with destination
+ "script" to a response that has
+ `X-Content-Type-Options: nosniff` and no
+ `Content-Type` header will return blocked
+ (no MIME type provided, so mimeType is failure).
+
+
A request for a CSS file with destination
+ "style" to a response that has
+ `X-Content-Type-Options: nosniff` and
+ `Content-Type: text/css` will return allowed
+ (CSS MIME type matches style destination).
+
+
A request for a CSS file with destination
+ "style" to a response that has
+ `X-Content-Type-Options: nosniff` and
+ `Content-Type: application/javascript` will return blocked
+ (MIME type mismatch: JavaScript is not text/css).
+
+
A request for an image with destination
+ "image" to a response that has
+ `X-Content-Type-Options: nosniff` and
+ `Content-Type: text/html` will return allowed
+ (image destinations are not checked by this algorithm).
+
+
A request for a JavaScript file with destination
+ "script" to a response that does not have an
+ `X-Content-Type-Options` header will return allowed
+ (no nosniff directive present).
+