When should I use HTTP header "X-Content-Type-Options: nosniff"

browser http-headers cross-browser mime-types web-standards
HappyDog picture HappyDog · Sep 27, 2018 · Viewed 9.2k times · Source

I've been running some penetration tests using OWASP ZAP and it raises the following alert for all requests: X-Content-Type-Options Header Missing.

I understand the header, and why it is recommended. It is explained very well in this StackOverflow question.

However, I have found various references that indicate that it is only used for .js and .css files, and that it might actually be a bad thing to set the header for other MIME types:

  • Note: nosniff only applies to "script" and "style" types. Also applying nosniff to images turned out to be incompatible with existing web sites. [1]
  • Firefox ran into problems supporting nosniff for images (Chrome doesn't support it there). [2]
  • Note: Modern browsers only respect the header for scripts and stylesheets and sending the header for other resources (such as images) when they are served with the wrong media type may create problems in older browsers. [3]

The above references (and others) indicate that it is bad to simply set this header for all responses, but despite following any relevant-looking links and searching on Google, I couldn't find any reason behind this argument.

What are the risks/problems associated with setting X-Content-Type-Options: nosniff and why should it be avoided for MIME types other than text/css and text/javascript?

Or, if there are no risks/problems, why are Mozilla (and others) suggesting that there are?

Answer

HappyDog picture HappyDog · Feb 1, 2019

The answer by Sean Thorburn was very helpful and pointed me to some good material, which is why I awarded the bounty. However, I have now done some more digging and I think I have the answer I need, which turns out to be the opposite of the answer given by Sean.

I will therefore answer my own questions:

The above references (and others) indicate that it is bad to simply set this header for all responses, but despite following any relevant-looking links and searching on Google, I couldn't find any reason behind this argument.

There is a misinterpretation here - this is not what they are indicating.

The resources I found during my research referred to the header only being respected for "script and style types", which I interpreted this to mean files that were served as text/javascript or text/css.

However, what they actually referring to was the context in which the file is loaded, not the MIME type it is being served as. For example, <script> or <link rel="stylesheet"> tags.

Given this interpretation, everything make a lot more sense and the answer becomes clear:

You need to serve all files with a nosniff header to reduce the risk of injection attacks from user content.

Serving up only CSS/JS files with this header is pointless, as these types of file would be acceptable in this context and don't need any additional sniffing.

However, for other types of file, by disallowing sniffing we ensure that only files whose MIME type matches the expected type are allowed in each context. This mitigates the risk of a malicious script being hidden in an image file (for example) in a way that would bypass upload checks and allow third-party scripts to be hosted from your domain and embedded into your site.

What are the risks/problems associated with setting X-Content-Type-Options: nosniff and why should it be avoided for MIME types other than text/css and text/javascript?

Or, if there are no risks/problems, why are Mozilla (and others) suggesting that there are?

There are no problems.

The problems being described are issues regarding the risk of breaking compatibility with existing sites. Mozilla's research indicated that enforcing a nosniff option on <img> tags would break a lot of sites due to server misconfigurations and therefore the header is ignored in image contexts.

Other contexts (e.g. HTML pages, downloads, fonts, etc.) either don't employ sniffing, don't have an associated risk or have compatibility concerns that prevent sniffing being disabled.

Therefore they are not suggesting that you should avoid the use of this header, at all.

However, the issues that they talk about do result in an important footnote to this discussion:

If you are using a nosniff header, make sure you are also serving the correct Content-Type header!

Some references, that helped me to understand this a bit more fully:

  1. The WhatWG Fetch standard that defines this header.
  2. A discussion and code commit relating to this header for the webhint.io site checking tool.

Related questions

Do I need Content-Type: application/octet-stream for file download?

The HTTP standard says: If this header [Content-Disposition: attachment] is used in a response with the application/octet-stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a `save response as...' …

Read More
How to encode the filename parameter of Content-Disposition header in HTTP?

Web applications that want to force a resource to be downloaded rather than directly rendered in a Web browser issue a Content-Disposition header in the HTTP response of the form: Content-Disposition: attachment; filename=FILENAME The filename parameter can be used …

Read More
How do I force files to open in the browser instead of downloading (PDF)?

Is there a way to force PDF files to open in the browser when the option "Display PDF in browser" is unchecked? I tried using the embed tag and an iframe, but it only works when that option is checked. …

Read More