Can you think of an attack that would have been mitigated by the
filter if it was enabled for static content? If someone comes up with
an attack, our chances to get rid of the ugly header quickly will
improve significantly. Seriously, I'd like to know why they added it
in the first place.
I have shared my thoughts in the issue tracker:
http://code.google.com/p/googleappengine/issues/detail?id=2417
Sooner or later someone from the App Engine team will notice that
issue and respond.
-- Alexander