Remove Content Type Sniffing for Worker Scripts

Worker scripts will be rejected unless they're delivered with a javascript MIME type (


Web browsers will execute JavaScript, use CSS, etc., even if the Content-Type: header indicates a non-matching MIME type. For example, including a text/html resource via a <script src=.... > tag would succeed. This has been a security concern for quite a while, and there's a long-standing desire to eliminate or at least reduce this. Tightening MIME type restrictions makes it less likely that a server's resources are inadvertently executed as script, and allows us to tighten CORB protections outside the renderer process.



Public discussion

Status in Chromium


No active development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.


Intent to Prototype url

Intent to Prototype thread


This is one step in the long-term process to eliminate content type sniffing. Since worker scripts are a relatively new feature they have not yet acquired legacy baggage of other features, which allows us to remove this particular feature combination without much risk, and before unsuitable usage could becomes a legacy. Also, there's a trivial work-around for any affected developer: Just serve your scripts with a proper MIME type.

Last updated on 2020-10-25