X-Content-Type-Options: nosniff header breaks edit mode


The following files are being sent as application/json to the client and having X-Content-Type-Options header in the response the web browser (tested with Chrome & Firefox) refuses to execute them and as a result the edit mode does not load:

  • /EPiServer/Shell/12.17.1/ClientResources/EPi/shell/ui/nls/en-us/episerver.shell.ui.resources.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/shell/ui/nls/en-us/episerver.shared.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/cms/nls/en-us/contenttypes.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/cms/nls/en-us/episerver.cms.js

Mar 09, 2023 9:26

Can you check the network tab and see what content-type the scripts are sent as?

This error is also common if the .js-file cannot be loaded. Can you confirm that the files are present? If not ensure that the modules are properly installed in your solution.

Edited, Mar 09, 2023 10:02

I have confirmed that the files are available; they have content beginning with define(...). The content type of these files is application/json.

Mar 09, 2023 10:20

I would have guessed app.UseStaticFiles would have set the correct MIME Types but you could try adding yourself 

var provider = new FileExtensionContentTypeProvider();
provider.Mappings[".js"] = "application/javascript";
app.UseStaticFiles(new StaticFileOptions { ContentTypeProvider = provider });
Edited, Mar 09, 2023 10:38
huseyinerdinc - Mar 09, 2023 10:53
Yes, same here. I've actually tried setting an explicit content type provider but it didn't change anything.
Minesh Shah (Netcel) - Mar 09, 2023 13:44
Removing the X-Content-Type-Options header fixes the Edit UI ?

I'll give this ago shortly see if can replicate, to help debug
huseyinerdinc - Mar 09, 2023 13:45
Yes, it fixed the UI for us.

I've just tried to replicate this locally on 12.17.1 and could not replicate 

  • Install Alloy
  • Upgrade to 12.17.1
  • Add security header 
        app.Use(async (context, next) =>
            context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
            await next();

Mar 09, 2023 13:54
huseyinerdinc - Mar 09, 2023 14:04
Interesting, thanks for trying. What was the content types of the aforementioned files?
Minesh Shah (Netcel) - Mar 09, 2023 15:49

I also tried with using the deny option and still worked here is the content type you asked for 

Edited, Mar 09, 2023 15:49
huseyinerdinc - Mar 09, 2023 15:54
I see, it is possible that this issue is unique to the particular project I am working on. I will take a deeper look at it soon. Thanks!
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.