X-Content-Type-Options

X-Content-Type-Options 响应首部相当于一个提示标志,被服务器用来提示客户端一定要遵循在 Content-Type 首部中对  MIME 类型 的设定,而不能对其进行修改。这就禁用了客户端的 MIME 类型嗅探行为,换句话说,也就是意味着网站管理员确定自己的设置没有问题。

这个消息首部最初是由微软在 IE 8 浏览器中引入的,提供给网站管理员用作禁用内容嗅探的手段,内容嗅探技术可能会把不可执行的 MIME 类型转变为可执行的 MIME 类型。在此之后,其他浏览器也相继引入了这个首部,尽管它们的 MIME 嗅探算法没有那么有侵略性。

站点安全测试人员通常欢迎对这个首部进行设置。

注意: nosniff 只应用于 "script" 和 "style" 两种类型。事实证明,将其应用于图片类型的文件会导致与现有的站点冲突

Header type Response header
Forbidden header name no

语法

X-Content-Type-Options: nosniff

指令

nosniff
下面两种情况的请求将被阻止:
  • 请求类型是"style" 但是 MIME 类型不是 "text/css",
  • 请求类型是"script" 但是 MIME 类型不是  JavaScript MIME 类型

规范

Specification Status Comment
Fetch
X-Content-Type-Options definition		 Living Standard Initial definition

浏览器兼容性

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
X-Content-Type-Options
Non-standard
Chrome Full support 64
Full support 64
Partial support 1
Notes
Notes Not supported for stylesheets.
Edge Full support YesFirefox Full support 50IE Full support 8Opera Full support YesSafari No support NoWebView Android Full support 64
Full support 64
Partial support Partial
Notes
Notes Not supported for stylesheets.
Chrome Android Full support 64
Full support 64
Partial support Partial
Notes
Notes Not supported for stylesheets.
Firefox Android Full support 50Opera Android Full support YesSafari iOS No support NoSamsung Internet Android Full support Yes

Legend

Full support  
Full support
No support  
No support
Non-standard. Expect poor cross-browser support.
Non-standard. Expect poor cross-browser support.
See implementation notes.
See implementation notes.

相关内容

最后修改:

, by MDN contributors
相关主题
  1. HTTP
  2. Guides:
  3. Resources and URIs
    1. Identifying resources on the Web
    2. Data URIs
    3. Introduction to MIME Types
    4. Complete list of MIME Types
    5. Choosing between www and non-www URLs
  4. HTTP guide
    1. Basics of HTTP
    2. Overview of HTTP
    3. Evolution of HTTP
    4. HTTP Messages
    5. A typical HTTP session
    6. Connection management in HTTP/1.x
    7. Protocol upgrade mechanism
  5. HTTP security
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP access control (CORS)
  7. HTTP authentication
  8. HTTP caching
  9. HTTP compression
  10. HTTP conditional requests
  11. HTTP content negotiation
  12. HTTP cookies
  13. HTTP range requests
  14. HTTP redirects
  15. HTTP specifications
  16. Feature policy
  17. References:
  18. HTTP headers
    1. Accept
    2. Accept-Charset
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Patch
    6. Accept-Ranges
    7. Access-Control-Allow-Credentials
    8. Access-Control-Allow-Headers
    9. Access-Control-Allow-Methods
    10. Access-Control-Allow-Origin
    11. Access-Control-Expose-Headers
    12. Access-Control-Max-Age
    13. Access-Control-Request-Headers
    14. Access-Control-Request-Method
    15. Age
    16. Allow
    17. Alt-Svc
    18. Authorization
    19. Cache-Control
    20. Clear-Site-Data
    21. Connection
    22. Content-Disposition
    23. Content-Encoding
    24. Content-Language
    25. Content-Length
    26. Content-Location
    27. Content-Range
    28. Content-Security-Policy
    29. Content-Security-Policy-Report-Only
    30. Content-Type
    31. Cookie
    32. Cookie2
    33. Cross-Origin-Resource-Policy
    34. DNT
    35. Date
    36. Digest
    37. ETag
    38. Early-Data
    39. Expect
    40. Expect-CT
    41. Expires
    42. Feature-Policy
    43. Forwarded
    44. From
    45. Host
    46. If-Match
    47. If-Modified-Since
    48. If-None-Match
    49. If-Range
    50. If-Unmodified-Since
    51. Index
    52. Keep-Alive
    53. Large-Allocation
    54. Last-Modified
    55. Link
    56. Location
    57. Origin
    58. Pragma
    59. Proxy-Authenticate
    60. Proxy-Authorization
    61. Public-Key-Pins
    62. Public-Key-Pins-Report-Only
    63. Range
    64. Referer
    65. Referrer-Policy
    66. Retry-After
    67. Save-Data
    68. Sec-WebSocket-Accept
    69. Server
    70. Server-Timing
    71. Set-Cookie
    72. Set-Cookie2
    73. SourceMap
    74. HTTP Strict Transport Security
    75. TE
    76. Timing-Allow-Origin
    77. Tk
    78. Trailer
    79. Transfer-Encoding
    80. Upgrade-Insecure-Requests
    81. 用户代理
    82. Vary
    83. Via
    84. WWW-Authenticate
    85. Want-Digest [我来译!]
    86. Warning
    87. X-Content-Type-Options
    88. DNS 预读取
    89. X-Forwarded-For
    90. X-Forwarded-Host
    91. X-Forwarded-Proto
    92. X-Frame-Options 响应头
    93. X-XSS-Protection
  19. HTTP request methods
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH
    7. POST
    8. PUT
    9. TRACE
  20. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocol
    3. 103 Early Hints
    4. 200 OK
    5. 201 Created
    6. 202 Accepted
    7. 203 Non-Authoritative Information
    8. 204 No Content
    9. 205 Reset Content
    10. 206 Partial Content
    11. 300 Multiple Choices
    12. 301 Moved Permanently
    13. 302 Found
    14. 303 See Other
    15. 304 Not Modified
    16. 307 Temporary Redirect
    17. 308 Permanent Redirect
    18. 400 Bad Request
    19. 401 Unauthorized
    20. 402 Payment Required
    21. 403 Forbidden
    22. 404 Not Found
    23. 405 Method Not Allowed
    24. 406 Not Acceptable
    25. 407 Proxy Authentication Required
    26. 408 Request Timeout
    27. 409 Conflict
    28. 410 Gone
    29. 411 Length Required
    30. 412 Precondition Failed(先决条件失败)
    31. 413 Payload Too Large
    32. 414 URI Too Long
    33. 415 Unsupported Media Type
    34. 416 Range Not Satisfiable
    35. 417 Expectation Failed
    36. 418 I'm a teapot
    37. 422 Unprocessable Entity
    38. 425 Too Early
    39. 426 Upgrade Required
    40. 428 Precondition Required
    41. 429 Too Many Requests
    42. 431 Request Header Fields Too Large
    43. 451 Unavailable For Legal Reasons
    44. 500 内部服务器错误
    45. 501 Not Implemented
    46. 502 Bad Gateway
    47. 503 Service Unavailable
    48. 504 Gateway Timeout
    49. 505 HTTP Version Not Supported
    50. 511 Network Authentication Required
  21. CSP directives
    1. CSP: base-uri
    2. CSP: block-all-mixed-content
    3. CSP: child-src
    4. CSP: connect-src
    5. CSP: default-src
    6. CSP: font-src
    7. CSP: form-action
    8. CSP: frame-ancestors
    9. CSP: frame-src [我来译!]
    10. CSP: img-src [我来译!]
    11. CSP: manifest-src [我来译!]
    12. CSP: media-src [我来译!]
    13. CSP: navigate-to [我来译!]
    14. CSP: object-src [我来译!]
    15. CSP: plugin-types [我来译!]
    16. CSP: prefetch-src [我来译!]
    17. CSP: referrer [我来译!]
    18. report-to
    19. CSP: report-uri [我来译!]
    20. CSP: require-sri-for
    21. CSP: sandbox
    22. CSP: script-src [我来译!]
    23. CSP: script-src-attr [我来译!]
    24. CSP: script-src-elem [我来译!]
    25. CSP: style-src [我来译!]
    26. CSP: style-src-attr [我来译!]
    27. CSP: style-src-elem [我来译!]
    28. CSP: trusted-types [我来译!]
    29. CSP: upgrade-insecure-requests
    30. CSP: worker-src [我来译!]
  22. CORS errors
    1. Reason: CORS disabled
    2. 原因:CORS 头 'Access-Control-Allow-Origin'与'xyz'不匹配
    3. Reason: CORS header 'Access-Control-Allow-Origin' missing
    4. Reason: CORS header ‘Origin’ cannot be added
    5. Reason: CORS preflight channel did not succeed
    6. Reason: CORS request did not succeed
    7. Reason: CORS request external redirect not allowed
    8. 原因:CORS 请求不是 HTTP
    9. Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
    10. Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’
    11. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed [我来译!]
    12. Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’ [我来译!]
    13. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ [我来译!]
    14. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’ [我来译!]
    15. Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel [我来译!]
  23. Feature-Policy directives
    1. Feature-Policy: accelerometer [我来译!]
    2. Feature-Policy: ambient-light-sensor [我来译!]
    3. Feature-Policy: autoplay
    4. Feature-Policy: camera [我来译!]
    5. Feature-Policy: display-capture [我来译!]
    6. Feature-Policy: document-domain [我来译!]
    7. Feature-Policy: encrypted-media [我来译!]
    8. Feature-Policy: fullscreen [我来译!]
    9. Feature-Policy: geolocation [我来译!]
    10. Feature-Policy: gyroscope [我来译!]
    11. Feature-Policy: layout-animations [我来译!]
    12. Feature-Policy: legacy-image-formats [我来译!]
    13. Feature-Policy: magnetometer [我来译!]
    14. Feature-Policy: microphone [我来译!]
    15. Feature-Policy: midi [我来译!]
    16. Feature-Policy: oversized-images [我来译!]
    17. Feature-Policy: payment [我来译!]
    18. Feature-Policy: picture-in-picture [我来译!]
    19. Feature-Policy: speaker [我来译!]
    20. Feature-Policy: sync-xhr [我来译!]
    21. Feature-Policy: unoptimized-images [我来译!]
    22. Feature-Policy: unsized-media [我来译!]
    23. Feature-Policy: usb [我来译!]
    24. Feature-Policy: vibrate [我来译!]
    25. Feature-Policy: vr [我来译!]
    26. Feature-Policy: wake-lock [我来译!]
    27. Feature-Policy: webauthn [我来译!]
    28. Feature-Policy: xr [我来译!]