X-Content-Type-Options: nosniff
Because IE determines Content-Type
not only by the Content-Type
header but by scanning the contents, it may cause XSS. For example, when a server outputs something like
<script type="text/javascript">
// Do something more malicious
alert(document.cookie);
</script>
with Content-Type
of text/plain
, IE may run the script.
To prevent IE from determining Content-Type
this way, you should add this header.
X-Content-Type-Options: nosniff
As of IE8, it no longer scans contents to determine its Content-Type
with this header.