* Rewriter acts on content by MIME type. HTML, JS, and CSS types have specific rewriting filters. Other types such as images are not rewritten.
* Malicious content provider server can tag content with incorrect MIME type. E.g., tag HTML as image.
* Some browsers are known to sometimes fudge MIME types (for example, IE will treat a JPEG file requested directly as HTML if that's what the file contains). What happens when an included Javascript file resource is mislabeled?
* Some improvements can be made. When rewriting HTML, replace all Javascript/CSS includes with rewritten URLs that embed the expected content type. This will ensure that Psiphon will aggressively rewrite these resources regardless of the MIME type the content provider labels them with.
Probably related: bug #457471