On Mon, Jan 25, 2010 at 7:51 PM, Michal Zalewski <lcam...@coredump.cx> wrote: > 1) Some other security mechanisms (CORS, anti-clickjacking controls, > XSS filter controls) rely on separate HTTP headers instead. Is there a > compelling reason not to follow that lead - or better yet, to unify > all security headers to conserve space?
The reason to use a MIME type here is to trick legacy browsers into not rendering the response as HTML. Adam