- A web browser requests a particular asset which responds with either no content type or a content type previously set at the origin server.
- The web browser "sniffs" the content to analyze what file format that particular asset is.
- Once the browser has completed its analysis, it compares what it found against what the web server provided in the
Content-Typeheader (if anything). If there is a mismatch, the browser uses the MIME type that it determined to be associated with the asset.
X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the
Content-Type headers should not be changed and be followed. This is a way to opt out of MIME type sniffing, or, in other words, to say that the MIME types are deliberately configured.
Blocks a request if the request destination is of type:
style" and the MIME type is not
Enables Cross-Origin Read Blocking (CORB) protection for the MIME-types:
application/jsonor any other type with a JSON extension:
application/xmlor any other type with an XML extension: