Otherwise this can lead to an XSS endpoint on naïve server implementations. Validating the MIME type of the response seems like good practice and ensures the response cannot be used for other purposes.

https://www.youtube.com/watch?v=dBJt3eR8-bg outlines this at the beginning (should take a couple minutes max).