I learned about X-Content-Type-Options on Hasegawa Yosuke's blog. But his article is little misleading. Content-sniffing is long-lived feature. In the old days, Marc Andreessen wrote about his (Mosaic's) first implementation of IMG element:
For the time being, inlined images won’t be explicitly content-type’d; down the road, we plan to support that (along with the general adaptation of MIME). Actually, the image reading routines we’re currently using figure out the image format on the fly, so the filename extension won’t even be significant.
Can we prevent content-sniffing on any browsers?
Intenet Explorer and Chromium see X-Content-Type-Options. But according Browserscope's securty test, my Firefox 3.6.13 and my Safari 5.0.3 don't see this response header. Of course, both browsers are don't interpret a corrupted image as HTML. And Firefox follow the sever-sent type on standard-compliant mode.
However Safari sniff on application/octet-stream response and interpret as HTML. Safai also sniff on text/plain response before Mac OS X 10.4.4. Take care!