As other major browsers (IE, Chromium) now support this header, we may consider turning it on, as it protects Webkit users from MIME-sniffing attacks, and it seems like it doesn't break anything. See: https://adblockplus.org/blog/the-hazards-of-mime-sniffing
Created attachment 223967 [details] patch
CCing Adam as the reviewer of the patch that introduced this feature, in http://trac.webkit.org/changeset/142683 .
Comment on attachment 223967 [details] patch It looks this feature is disabled on all ports now. So, r=me for EFL port for now.
Comment on attachment 223967 [details] patch Clearing flags on attachment: 223967 Committed r164848: <http://trac.webkit.org/changeset/164848>
All reviewed patches have been landed. Closing bug.
Reopen, because NOSNIFF is still disabled on EFL due to the stronger 0 in Tools/Scripts/webkitperl/FeatureList.pm: { option => "nosniff", desc => "Toggle support for 'X-Content-Type-Options: nosniff'", define => "ENABLE_NOSNIFF", default => 0, value => \$nosniffSupport }, The default 0 should be isEfl().
Already fixed in https://trac.webkit.org/changeset/170096
What would it take to get this feature enabled for all ports? GitHub recently placed a bounty for getting nosniff merged in https://bugzilla.mozilla.org/show_bug.cgi?id=471020#c47. It looks like we have some interest and are hopeful the feature will get merged in the not too distant future. Once that change lands Safari/Webkit will be the last browser without support.
Ah, I had somehow missed https://bugs.webkit.org/show_bug.cgi?id=136452 when searching for bugs related to nosniff. I'll follow the discussion over there.