X-Content-Type-Options + passive content?

The question of how X-Content-Type-Options: nosniff interacts with passive content came up today on Twitter. I had always assumed that browsers would block passive content where the MIME type was incorrect and nosniff was set, but I decided to test.

Below is a delightful image of a Snorlax. It's a PNG, but the extension is .jpg and nginx delivers its MIME type as image/jpeg:

Sleeping Snorlax
© Nintendo or The Pok√©mon Company or Something

Can you see this image? I sure can. If you're using Firefox, Chrome, Safari, Edge — really anything but Internet Explorer — it shows up just fine.

Here is the same image, but with no extension. By default, nginx sets its MIME type as application/octet-stream:

Sleeping Snorlax
© Same corporations or people. But I repeat myself, apparently.

Here, Firefox (50+), Edge, and Internet Explorer block it, but Chrome and Safari display it just fine.

How about audio? With HTML5 audio, you get to tell it exactly what the MIME type is! Here is an mp3 (audio/mpeg), but it has a .ogg (audio/ogg) extension and I've set the HTML5 audio type attribute to audio/mp4:

© Hiroyuki Masuno? Maybe?

IE11, Edge, and Safari fail due to MIME type confusion, but not because of X-Content-Type-Options. Firefox and Chrome? They play that sweet, sweet 1987 video game music just fine.

In conclusion, I should stop making assumptions about how browsers behave, particularly when it comes to quasi-standards like X-Content-Type-Options.

[Category: Security] [Tags: X-Content-Type-Options]