XSS Block for Widget Creator

Modern browsers and hosts are automatically enabling X-Content-Type-Options=nosniff in all HTTP headers. This effectively breaks the ability of external website from being able to use the Widget Creator. Users end up getting an error on the screen and an error on the console.

I sent an e-mail into Time.ly support but the apparently don’t support WordPress on that form. The details were well set-out on the email, but of course, the copy sent to me doesn’t include a link to my verbiage I sent in.

Either the Widget Creator needs new code to allow XSS or the Plugin needs updating to ensure matching MIME types

My workaround is to put into .htaccess:
Header always set X-Content-Type-Options “”

This isn’t a valid solution in the long term as it isn’t a supported model for PHP/HTML standards.