When the header "X-Content-Type-Options: nosniff" is supplied, the remote JS login functionality fails because the response from the load action is transferred as text/html.
The response should be transferred as "application/javascript" by setting the proper headers prior to output.
Here's the diff:
diff --git a/wordpress-mu-domain-mapping/domain_mapping.php b/wordpress-mu-domain-mapping/domain_mapping.php
index 2241b15..6fa06c9 100644
--- a/wordpress-mu-domain-mapping/domain_mapping.php
+++ b/wordpress-mu-domain-mapping/domain_mapping.php
@@ -736,6 +736,7 @@ function remote_login_js() {
$key = md5( time() . mt_rand() );
$wpdb->query( $wpdb->prepare( "INSERT INTO {$wpdb->dmtablelogins} ( <code>id</code>, <code>user_id</code>, <code>blog_id</code>, <code>t</code> ) VALUES( %s, %d, %d, NOW() )", $key, $current_user->ID, $_GET[ 'blogid' ] ) );
$url = add_query_arg( array( 'action' => 'login', 'dm' => $hash, 'k' => $key, 't' => mt_rand() ), $_GET[ 'back' ] );
+ header('Content-Type: application/javascript');
echo "window.location = '$url'";
exit;
} elseif ( $_GET[ 'action' ] == 'login' ) {