XCTO affects more than script-like and "style"

[JannisBush]

Only request destinations that are script-like or "style" are considered as any exploits pertain to them. Also, considering "image" was not compatible with deployed content. (https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?)

To me the spec reads as XCTO only is used for script-like and style destinations, however this is not the case.

• CORB and ORB use XCTO for images and media
• Browsers seem to be using XCTO for iframes and windows as well. Responses with XCTO are either displayed as text/plain or treated as downloads