SaaS CMS has officially launched! Learn more now.

X-Content-Type-Options: nosniff header breaks edit mode

Vote:
 

The following files are being sent as application/json to the client and having X-Content-Type-Options header in the response the web browser (tested with Chrome & Firefox) refuses to execute them and as a result the edit mode does not load:

  • /EPiServer/Shell/12.17.1/ClientResources/EPi/shell/ui/nls/en-us/episerver.shell.ui.resources.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/shell/ui/nls/en-us/episerver.shared.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/cms/nls/en-us/contenttypes.js
  • /EPiServer/Shell/12.17.1/ClientResources/EPi/cms/nls/en-us/episerver.cms.js

#297959
Mar 09, 2023 9:26
Vote:
 

Can you check the network tab and see what content-type the scripts are sent as?

This error is also common if the .js-file cannot be loaded. Can you confirm that the files are present? If not ensure that the modules are properly installed in your solution.

#297964
Edited, Mar 09, 2023 10:02
Vote:
 

I have confirmed that the files are available; they have content beginning with define(...). The content type of these files is application/json.

#297965
Mar 09, 2023 10:20
Vote:
 

I would have guessed app.UseStaticFiles would have set the correct MIME Types but you could try adding yourself 

var provider = new FileExtensionContentTypeProvider();
provider.Mappings[".js"] = "application/javascript";
app.UseStaticFiles(new StaticFileOptions { ContentTypeProvider = provider });
#297966
Edited, Mar 09, 2023 10:38
huseyinerdinc - Mar 09, 2023 10:53
Yes, same here. I've actually tried setting an explicit content type provider but it didn't change anything.
Minesh Shah (Netcel) - Mar 09, 2023 13:44
Removing the X-Content-Type-Options header fixes the Edit UI ?

I'll give this ago shortly see if can replicate, to help debug
huseyinerdinc - Mar 09, 2023 13:45
Yes, it fixed the UI for us.
Vote:
 

I've just tried to replicate this locally on 12.17.1 and could not replicate 

  • Install Alloy
  • Upgrade to 12.17.1
  • Add security header 
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
            await next();
        });

#297977
Mar 09, 2023 13:54
huseyinerdinc - Mar 09, 2023 14:04
Interesting, thanks for trying. What was the content types of the aforementioned files?
Minesh Shah (Netcel) - Mar 09, 2023 15:49
text/javascript
Vote:
 

I also tried with using the deny option and still worked here is the content type you asked for 

#297981
Edited, Mar 09, 2023 15:49
huseyinerdinc - Mar 09, 2023 15:54
I see, it is possible that this issue is unique to the particular project I am working on. I will take a deeper look at it soon. Thanks!
Vote:
 

We have also encountered this issue yesterday and it seems that ExtendedNewtonsoftJsonOutputFormatter is the problem.

I've used the Foundation project to check what is the difference compared to our project and it turned out that it uses ExtendedSystemTextJsonOutputFormatter which properly assigns content type for these resources based on ResponseDecorator.

Most likely, Alloy uses the same formatter thus you were not able to reproduce this issue there.


#300306
Edited, Apr 18, 2023 7:43
huseyinerdinc - Apr 19, 2023 6:49
Nice catch! Were you able to find a workaround for the issue?
Piotr Ciarach - Apr 19, 2023 8:29
Unfortunately not yet :( For now, we temporarily removed this header for '/episerver' as we had some more urgent issues to work on.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.