From 007025f2668391889c68521b932018933c0a2047 Mon Sep 17 00:00:00 2001
From: ADITYA CHAUHAN <125276621+hooiv@users.noreply.github.com>
Date: Sun, 27 Jul 2025 15:35:22 +0530
Subject: [PATCH] Add examples for X-Content-Type-Options header

Add examples for X-Content-Type-Options header

Addresses issue [#636](https://github.com/whatwg/fetch/issues/636) by adding comprehensive examples to the
'Should response to request be blocked due to nosniff?' algorithm.

The examples clarify:
- When responses are blocked (MIME type mismatch, missing Content-Type)
- When responses are allowed (correct MIME type, no X-Content-Type-Options header)
- Different request destinations (script, style, image)

This should help web developers and implementers understand the exact
behavior of the X-Content-Type-Options: nosniff directive.
---
 fetch.bs | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
diff --git a/fetch.bs b/fetch.bs
index 4d01e315b..85ca5f9fe 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -4030,6 +4030,53 @@ X-Content-Type-Options           = "nosniff" ; case-insensitive
 <p class=note>Only <a for=/>request</a> <a for=request>destinations</a> that are
 <a for=request/destination>script-like</a> or "<code>style</code>" are considered as any exploits
 pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content.
+
+<div class=example>
+<p>The following examples illustrate how the algorithm works:
+
+<ul>
+ <li><p>A <a for=/>request</a> for a JavaScript file with <a for=request>destination</a>
+ "<code>script</code>" to a <a for=/>response</a> that has
+ `<a http-header><code>X-Content-Type-Options</code></a>: <code>nosniff</code>` and
+ `<code>Content-Type</code>: <code>application/javascript</code>` will return <b>allowed</b>
+ (JavaScript MIME type matches script-like destination).
+
+ <li><p>A <a for=/>request</a> for a JavaScript file with <a for=request>destination</a>
+ "<code>script</code>" to a <a for=/>response</a> that has
+ `<a http-header><code>X-Content-Type-Options</code></a>: <code>nosniff</code>` and
+ `<code>Content-Type</code>: <code>text/html</code>` will return <b>blocked</b>
+ (MIME type mismatch: HTML is not a JavaScript MIME type).
+
+ <li><p>A <a for=/>request</a> for a JavaScript file with <a for=request>destination</a>
+ "<code>script</code>" to a <a for=/>response</a> that has
+ `<a http-header><code>X-Content-Type-Options</code></a>: <code>nosniff</code>` and no
+ `<code>Content-Type</code>` header will return <b>blocked</b>
+ (no MIME type provided, so <var>mimeType</var> is failure).
+
+ <li><p>A <a for=/>request</a> for a CSS file with <a for=request>destination</a>
+ "<code>style</code>" to a <a for=/>response</a> that has
+ `<a http-header><code>X-Content-Type-Options</code></a>: <code>nosniff</code>` and
+ `<code>Content-Type</code>: <code>text/css</code>` will return <b>allowed</b>
+ (CSS MIME type matches style destination).
+
+ <li><p>A <a for=/>request</a> for a CSS file with <a for=request>destination</a>
+ "<code>style</code>" to a <a for=/>response</a> that has
+ `<a http-header><code>X-Content-Type-Options</code></a>: <code>nosniff</code>` and
+ `<code>Content-Type</code>: <code>application/javascript</code>` will return <b>blocked</b>
+ (MIME type mismatch: JavaScript is not text/css).
+
+ <li><p>A <a for=/>request</a> for an image with <a for=request>destination</a>
+ "<code>image</code>" to a <a for=/>response</a> that has
+ `<a http-header><code>X-Content-Type-Options</code></a>: <code>nosniff</code>` and
+ `<code>Content-Type</code>: <code>text/html</code>` will return <b>allowed</b>
+ (image destinations are not checked by this algorithm).
+
+ <li><p>A <a for=/>request</a> for a JavaScript file with <a for=request>destination</a>
+ "<code>script</code>" to a <a for=/>response</a> that does not have an
+ `<a http-header><code>X-Content-Type-Options</code></a>` header will return <b>allowed</b>
+ (no nosniff directive present).
+</ul>
+</div>
 </div>
 
 
