Add X-Content-Type-Options audit

[jbmoelker]

See:

• https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

[jbmoelker]

@markomalis should we use the RequestHeaders gatherer and just test for the header on the document or should we use the devtoolsLogs gatherer and check all HTTP requests made by the page?

MDN notes:

nosniff only applies to "script" and "style" types. Also applying nosniff to images turned out to be incompatible with existing web sites.

Is that something we should also check for?