The test TestNativeDag/GET_response_for_application%2Fvnd.ipld.dag-json_has_expected_Content-Type/Header_X-Content-Type-Options has the following hint:
Make sure expected HTTP headers are returned with the dag- block·········
Error: Header 'X-Content-Type-Options' expected one element (includes nosniff hint)
The spec says of the X-Content-Type-Options header:
X-Content-Type-Options: nosniff should be returned with application/vnd.ipld.car and application/vnd.ipld.raw responses to indicate that the Content-Type should be followed and not be changed. This is a security feature, ensures that non-executable binary response types are not used in <script> and <style> HTML tags.
It makes no reference to application/vnd.ipld.dag-json so there's either a gap in the spec or the test is incorrect.
The test
TestNativeDag/GET_response_for_application%2Fvnd.ipld.dag-json_has_expected_Content-Type/Header_X-Content-Type-Optionshas the following hint:The spec says of the
X-Content-Type-Optionsheader:It makes no reference to
application/vnd.ipld.dag-jsonso there's either a gap in the spec or the test is incorrect.