Shared publicly  - 
TL;DR: Serving script directly from `` is a Bad Idea™. Use GitHub Pages instead!

Support for blocking scripts that opt-in to strict MIME-type checking landed in Canary a few weeks back[1], matching the behavior of IE8, 9, and 10. This means that resources delivered with an `X-Content-Type-Options: nosniff` header will only execute if they're also delivered with an appropriate `Content-Type` header (`application/javascript`, for example). Web applications (especially those that accept user-controlled content) can use these headers to protect themselves from some interesting XSS injections that rely on otherwise unexecutable files being MIME-sniffed into JavaScript.

I like this change; it's good for security in a belts-and-braces sort of way.

One effect, however, is causing a bit of consternation[2]: GitHub serves resources from `` with `Content-Type: text/plain` and `X-Content-Type-Options: nosniff` headers; they don't actually want you using `` as a CDN. This change breaks pages that are loading script directly from a GitHub repo: you'll see errors like "Refused to execute script from '[URL]' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled."

GitHub (and I!) would very much prefer that you use Pages[3] to serve content. It's easier on their servers, it's very well supported by the tools they offer, and it will work in browsers that support `X-Content-Type-Options`.

Timestamp: 02/12/13 15:44:51 (3 weeks ago); Author:; Message: Implement script MIME restrictions for X-Content-Type-Options: nosniff ​ ...
Alejandro Penedo's profile photoAndrew Gerst's profile photoLarry Battle's profile photoTrent Brown's profile photo
+Mathias Bynens: Clever! Does that actually cache the resources, or does it just pass through to GitHub's backend? ... I guess I could just look at the source, couldn't I?
Looks like a straight passthrough. Not sure GitHub would be any happier about this solution, but it does look like a reasonable option for testing.

The problem, of course, is that folks often take these testing solutions and deploy them. :)
Glad this issue is getting some publicity. GitHub should also make a post on their blog.
Silly question maybe, but how do you use pages to reference files?
Add a comment...