"x-content-type-options: nosniff" only for CSS and JS


#1

Two issues:

  1. x-content-type-options setting mustn’t be under Crypto “HSTS” since isn’t releated
  2. Cloudflare must fallow spec and add “x-content-type-options: nosniff” only to JS and CSS, see
    https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff%3F and

‘Note: nosniff only applies to “script” and “style” types. Also applying nosniff to images turned out to be incompatible with existing web sites.’

Even when origin server defines x-content-type-options correctly, Cloudflare still will rewrite it (and add a bug) when “No-Sniff Header” enabled in Crypto > HSTS settings.