(outdated) Firefox 72 allows for MIME sniffing on top-level documents when no Content Type is set

[bsmth]

edit: See #25371 (comment)

Summary

Adding impl_ulrs for some HTTP features. These were documented in MDN content prose, and removed in recent PRs.

• https://github.com/mdn/content/pull/36862/files#diff-6d93852f46300729c5d2d2fd850f48e170246f9d26495d4b8afbc02cf6496777

Related issues

Follow-up from:

• chore(http): Refresh headers ~[s->x] content#36862

[caugner]

In other words: Firefox ignores the X-Content-Type-Options header if the response has no Content-Type header?

[bsmth]

Yes, you should be setting a Content-Type if you're saying X-Content-Type-Options: nosniff.

[caugner]

Would this be accurate and easier to understand?

Suggested change

	"notes": "Since version 72, Content Type sniffing is enabled on top-level documents that have no `Content-Type`, even when `X-Content-Type-Options: nosniff` is set."
	"notes": "Firefox 72 and later ignores the header on top-level documents that have no `Content-Type` set."

[bsmth]

Oh, after digging, this was reverted in Fx 75, https://bugzilla.mozilla.org/show_bug.cgi?id=1594766

So from 75 onwards, it's as follows:

/*
* If we did not get a useful Content-Type from the server
* but also have sniffing disabled, just determine whether
* to use text/plain or octetstream and log an error to the Console
*/

So X-Content-Type-Options: nosniff is respected.

See https://web.archive.org/web/20200410215516/https://blog.mozilla.org/security/2020/04/07/firefox-75-will-respect-nosniff-for-page-loads/

I think we can close this as there's nothing really useful to add here.