Lunr: Content Security Policy (CSP), X-Content-Type: nosniff

Question

Lunr: Content Security Policy (CSP), X-Content-Type: nosniff

strauhmanis opened this issue 6 years ago · comments

Ervins Strauhmanis commented 6 years ago

Hi!

I have the following CSP header:

X-Content-Type-Options: nosniff

With this content security policy enabled, the following error comes up in web inspector console (I'm using local (non Ruby gem method), untouched, Basically Basic theme files):

[Error] Refused to execute https://www.mydomain.com/assets/javascripts/search-data.json as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.

I would like to ask if that is something that can be fixed within the scope of this project, or if this error can be dealt with otherwise, without disabling the mentioned CSP header.

Thanks!

Michael Rose · Answer 1 · Fri Nov 30 2018 21:15:32 GMT+0800 (China Standard Time)

Don't think there is anything to fix within the scope of this project. This appears to be hosting related, which the theme has no control over.

Ervins Strauhmanis · Answer 2 · Fri Nov 30 2018 21:18:21 GMT+0800 (China Standard Time)

Got it. Thanks!

Gustavo Rodrigues · Answer 3 · Sat Aug 03 2019 04:02:57 GMT+0800 (China Standard Time)

Woudn't be better changing search-data.json to search-data.js like mmistakes/minimal-mistakes/assets/js/lunr/lunr-store.js? The extension is wrong: it isn't a JSON file, is a JavaScript file. It would fix the wrong mime-type and avoid mime related issues.

Surely, it only causes issues when content-type-options: nosniff is added by the server ~~so I'm trying to find why my server is adding it~~ and CloudFlare was adding it. In the other hand, as it is a security feature, renaming this file would be a better fix.