It's not clear to me that "Content-Type metadata" is a defined concept

[bzbarsky]

The link goes to the HTML spec, which refers to mimesniff, which does not define the concept.

I've been trying to find where the behavior of normal @import and stylesheet loading is defined to reject cross-site non-text/css, but haven't found it yet. https://drafts.csswg.org/cssom/#fetch-a-css-style-sheet is a thing, but also uses "Content-Type metadata".

Most simply, what should happen for @import from a constructed stylesheet if the server does not send a Content-Type header?

This probably doesn't need to block this spec progressing, because of the mess the rest of stylesheet loading is, but it might be good to explicitly say the behavior needs to match https://drafts.csswg.org/cssom/#fetch-a-css-style-sheet and whatever HTML uses to load sheets, assuming this last is defined.

@domenic, @annevk

[domenic]

/cc @zcorpan who might be looking into this underspecified (posibly interop) problem as well.

HTML in theory uses https://html.spec.whatwg.org/multipage/semantics.html#obtaining-a-resource-from-a-link-element but there's also whatwg/html#968 to use "fetch a CSS style sheet"... so I'm not even sure which of these we should match... but saying that our intent is to match one or both of them seems like a good idea :)

[annevk]

Note that I wrote tests in web-platform-tests/wpt#13144 for this, so at least testing-wise it's clear what we want, though we might want to be stricter for constructed style sheets and require an actual text/css match?