nim, glasser comments

packages/browser-policy-content/browser-policy-content.js

@@ -132,6 +132,7 @@ var setDefaultPolicy = function () {
                                   "connect-src *; " +
                                   "img-src data: 'self'; " +
                                   "style-src 'self' 'unsafe-inline';");
+  contentSniffingAllowed = false;
 };
 
 var setWebAppInlineScripts = function (value) {

packages/browser-policy/browser-policy-test.js

@@ -153,6 +153,7 @@ Tinytest.add("browser-policy - x-frame-options", function (test) {
 });
 
 Tinytest.add("browser-policy - X-Content-Type-Options", function (test) {
+  BrowserPolicy.content._reset();
   test.equal(BrowserPolicy.content._xContentTypeOptions(), "nosniff");
   BrowserPolicy.content.allowContentTypeSniffing();
   test.equal(BrowserPolicy.content._xContentTypeOptions(), undefined);

packages/webapp/webapp_server.js

@@ -408,7 +408,7 @@ var runWebAppServer = function () {
       res.setHeader('X-SourceMap', info.sourceMapUrl);
 
     if (info.type === "js") {
-      res.setHeader("Content-Type", "text/javascript; charset=UTF-8");
+      res.setHeader("Content-Type", "application/javascript; charset=UTF-8");
     } else if (info.type === "css") {
       res.setHeader("Content-Type", "text/css; charset=UTF-8");
     }

packages/webapp/webapp_tests.js

@@ -19,5 +19,5 @@ Tinytest.add("webapp - content-type header", function (test) {
              "text/css; charset=utf-8");
   resp = HTTP.get(url.resolve(Meteor.absoluteUrl(), jsResource));
   test.equal(resp.headers["content-type"].toLowerCase(),
-             "text/javascript; charset=utf-8");
+             "application/javascript; charset=utf-8");
 });