TL;DR: Serving script directly from `` is a Bad Idea™. Use GitHub Pages instead!

Support for blocking scripts that opt-in to strict MIME-type checking landed in Canary a few weeks back[1], matching the behavior of IE8, 9, and 10. This means that resources delivered with an `X-Content-Type-Options: nosniff` header will only execute if they're also delivered with an appropriate `Content-Type` header (`application/javascript`, for example). Web applications (especially those that accept user-controlled content) can use these headers to protect themselves from some interesting XSS injections that rely on otherwise unexecutable files being MIME-sniffed into JavaScript.

I like this change; it's good for security in a belts-and-braces sort of way.

One effect, however, is causing a bit of consternation[2]: GitHub serves resources from `` with `Content-Type: text/plain` and `X-Content-Type-Options: nosniff` headers; they don't actually want you using `` as a CDN. This change breaks pages that are loading script directly from a GitHub repo: you'll see errors like "Refused to execute script from '[URL]' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled."

GitHub (and I!) would very much prefer that you use Pages[3] to serve content. It's easier on their servers, it's very well supported by the tools they offer, and it will work in browsers that support `X-Content-Type-Options`.

Shared publiclyView activity