Try our conversational search powered by Generative AI!

AI OnAI Off

X-Content-Type-Options: nosniff header breaks edit mode

huseyinerdinc
huseyinerdinc
Vote:
 

The following files are being sent as application/json to the client and having X-Content-Type-Options header in the response the web browser (tested with Chrome & Firefox) refuses to execute them and as a result the edit mode does not load:

  • /EPiServer/Shell/12.17.1/ClientResources/EPi/shell/ui/nls/en-us/episerver.shell.ui.resources.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/shell/ui/nls/en-us/episerver.shared.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/cms/nls/en-us/contenttypes.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/cms/nls/en-us/episerver.cms.js

#297959
Mar 09, 2023 9:26
Eric Herlitz
Eric Herlitz
Vote:
 

Can you check the network tab and see what content-type the scripts are sent as?

This error is also common if the .js-file cannot be loaded. Can you confirm that the files are present? If not ensure that the modules are properly installed in your solution.

#297964
Edited, Mar 09, 2023 10:02
huseyinerdinc
huseyinerdinc
Vote:
 

I have confirmed that the files are available; they have content beginning with define(...). The content type of these files is application/json.

#297965
Mar 09, 2023 10:20
Minesh Shah (Netcel)
Minesh Shah (Netcel)
Vote:
 

I would have guessed app.UseStaticFiles would have set the correct MIME Types but you could try adding yourself 

var provider = new FileExtensionContentTypeProvider();
provider.Mappings[".js"] = "application/javascript";
app.UseStaticFiles(new StaticFileOptions { ContentTypeProvider = provider });
#297966
Edited, Mar 09, 2023 10:38
huseyinerdinc - Mar 09, 2023 10:53
Yes, same here. I've actually tried setting an explicit content type provider but it didn't change anything.
Minesh Shah (Netcel) - Mar 09, 2023 13:44
Removing the X-Content-Type-Options header fixes the Edit UI ?

I'll give this ago shortly see if can replicate, to help debug
huseyinerdinc - Mar 09, 2023 13:45
Yes, it fixed the UI for us.
Minesh Shah (Netcel)
Minesh Shah (Netcel)
Vote:
 

I've just tried to replicate this locally on 12.17.1 and could not replicate 

  • Install Alloy
  • Upgrade to 12.17.1
  • Add security header 
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
            await next();
        });

#297977
Mar 09, 2023 13:54
huseyinerdinc - Mar 09, 2023 14:04
Interesting, thanks for trying. What was the content types of the aforementioned files?
Minesh Shah (Netcel) - Mar 09, 2023 15:49
text/javascript
Minesh Shah (Netcel)
Minesh Shah (Netcel)
Vote:
 

I also tried with using the deny option and still worked here is the content type you asked for 

#297981
Edited, Mar 09, 2023 15:49
huseyinerdinc - Mar 09, 2023 15:54
I see, it is possible that this issue is unique to the particular project I am working on. I will take a deeper look at it soon. Thanks!
Piotr Ciarach
Piotr Ciarach
Vote:
 

We have also encountered this issue yesterday and it seems that ExtendedNewtonsoftJsonOutputFormatter is the problem.

I've used the Foundation project to check what is the difference compared to our project and it turned out that it uses ExtendedSystemTextJsonOutputFormatter which properly assigns content type for these resources based on ResponseDecorator.

Most likely, Alloy uses the same formatter thus you were not able to reproduce this issue there.


#300306
Edited, Apr 18, 2023 7:43
huseyinerdinc - Apr 19, 2023 6:49
Nice catch! Were you able to find a workaround for the issue?
Piotr Ciarach - Apr 19, 2023 8:29
Unfortunately not yet :( For now, we temporarily removed this header for '/episerver' as we had some more urgent issues to work on.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.