With nosniff header, try without nosniff header.

JavaScript tests

No JavaScript in gif executed - GOOD!
No JavaScript in gif through createElement executed (info)
Accepted mime types:

Image tests

pnggifjpgsvg
pngbadgoodgoodgood
gifgoodbadgoodgood
jpggoodgoodbadgood
svggoodgoodgoodbad
txtgoodgoodgoodgood
htmgoodgoodgoodgood
cssgoodgoodgoodgood
jsgoodgoodgoodgood
jsongoodgoodgoodgood
Right: filetype, down: mime
In a perfect world with no MIME sniffing we would only see matching cells (png/png, jpg/jpg and gif/gif) with an icon and no icons anywhere.

Image test / cross-origin

pnggifjpgsvg
pngbadgoodgoodgood
gifgoodbadgoodgood
jpggoodgoodbadgood
svggoodgoodgoodbad
txtgoodgoodgoodgood
htmgoodgoodgoodgood
cssgoodgoodgoodgood
jsgoodgoodgoodgood
jsongoodgoodgoodgood

References

Microsoft: Reducing MIME type security risks
Firefox bug report

Icons Public Domain by Tango Project: OK, Error

Created by Hanno Böck ()