Some non-HTTP protocols running on a server might respond to HTTP requests with an error message, and return (parts of) the incoming request. If web browsers content-sniff data returned withouth HTTP headers, an attacker might be able to send data to such a service, and have the server return an error which the browser interprets as HTML/JS. This opens up for XSS. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=667907
Upstream bug says, this is embargoed till 28th Dec 2011. However 3.6.24 likely has the fix, perhaps the bug wont be made public.