Resources blocked by X-Content-Type-Options: nosniff

jeau

After adding Cantaloupe IIIF server to the App Whislist, for fun, I started to package this application. Everything works fine with a single configuration file.

However, if I activate the optional administration web page, the static resources (css and js) don't load because of a X-Content-Type-Options: nosniff block which comes from an incorrect MIME type of this served static resources.

Obviously the issue comes from the Cantaloupe side but is there a workaround on the Cloudron side?

nebulon

@jeau I don't think there is a solid non-temporary fix on Cloudron side and as you indicated, this should really be then fixed or patched in the app.

girish

@jeau A hack is simply to edit the conf file in /etc/nginx/applications/<appid>.conf and then systemctl reload nginx. Of course, this change won't persist but atleast will let you move forward in packaging the app.

Do you have an upstream issue we can track? Just want to check if there is something we can do on the platform side, because removing it will let the browser start sniffing content and guess mime type which can be a security issue.

jeau

@girish thanks for the hack, it works but as you say it's not a solution.

I just created an issue on the Cantaloupe github repo https://github.com/cantaloupe-project/cantaloupe/issues/471

girish

@jeau hopefully, it's an easy upstream fix. after all, it's just setting of content-type correctly.

girish

@jeau It got fixed already in https://github.com/cantaloupe-project/cantaloupe/commit/cf5be9112ee7ea561c2229ddada7bb94317369c7 , very nice.

jeau

@girish yes