Some implementations reflect TOKEN1, thus this can lead to XSS.
But only if the browser interprets it as HTML.
It's a module that enables XSS attacks.
This module determines the MIME type of files in the same way the Unix file(1) command works: it looks at the first few bytes of the file. (Apache documentation)
Parser code is based on an old fork of the "file" utility.
Any web application that allows uploading files with an unusual extension not in /etc/mime.types has Cross Site Scripting.
(Found multiple examples, disclosure pending.)
Server will guess MIME type (e.g. if it starts with <html>) and send it as text/html.
Only globally, no option to disable it per host or directory (can't be disabled by customers on shared hosting).
Not so fast...
It can guess MIME types, too!
If file with HTML is sent without a MIME type the browser will render it.
Firefox and Edge will render HTML without a MIME type even with "X-Content-Type-Options: nosniff".
Good luck with that: Every Linux distribution has its own version of mime.types.
Let's set a safe MIME type (e.g. text/plain or application/octet-stream) for every unknown file extension.
Has been removed in Apache 2.4.
A standard to enable Cross Site Scripting.
nginx sends application/octet-stream by default.
I'm hoping to get some ideas from you what to do about it.