Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Resources blocked by X-Content-Type-Options: nosniff

Scheduled Pinned Locked Moved App Packaging & Development
7 Posts 3 Posters 285 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • jeauJ Offline
    jeauJ Offline
    jeau App Dev
    wrote on last edited by
    #1

    After adding Cantaloupe IIIF server to the App Whislist, for fun, I started to package this application. Everything works fine with a single configuration file.

    However, if I activate the optional administration web page, the static resources (css and js) don't load because of a X-Content-Type-Options: nosniff block which comes from an incorrect MIME type of this served static resources.

    Obviously the issue comes from the Cantaloupe side but is there a workaround on the Cloudron side?

    nebulonN girishG 2 Replies Last reply
    0
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    replied to jeau on last edited by
    #2

    @jeau I don't think there is a solid non-temporary fix on Cloudron side and as you indicated, this should really be then fixed or patched in the app.

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to jeau on last edited by
    #3

    @jeau A hack is simply to edit the conf file in /etc/nginx/applications/<appid>.conf and then systemctl reload nginx. Of course, this change won't persist but atleast will let you move forward in packaging the app.

    Do you have an upstream issue we can track? Just want to check if there is something we can do on the platform side, because removing it will let the browser start sniffing content and guess mime type which can be a security issue.

    jeauJ 1 Reply Last reply
    1
  • jeauJ Offline
    jeauJ Offline
    jeau App Dev
    replied to girish on last edited by
    #4

    @girish thanks for the hack, it works but as you say it's not a solution.

    I just created an issue on the Cantaloupe github repo https://github.com/cantaloupe-project/cantaloupe/issues/471

    girishG 2 Replies Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    replied to jeau on last edited by
    #5

    @jeau hopefully, it's an easy upstream fix. after all, it's just setting of content-type correctly.

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    replied to jeau on last edited by
    #6

    @jeau It got fixed already in https://github.com/cantaloupe-project/cantaloupe/commit/cf5be9112ee7ea561c2229ddada7bb94317369c7 , very nice.

    jeauJ 1 Reply Last reply
    0
  • jeauJ Offline
    jeauJ Offline
    jeau App Dev
    replied to girish on last edited by
    #7

    @girish yes 👍

    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.