Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. App Packaging & Development
  3. Resources blocked by X-Content-Type-Options: nosniff

Resources blocked by X-Content-Type-Options: nosniff

Scheduled Pinned Locked Moved App Packaging & Development
7 Posts 3 Posters 1.1k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jeauJ Offline
      jeauJ Offline
      jeau
      App Dev
      wrote on last edited by
      #1

      After adding Cantaloupe IIIF server to the App Whislist, for fun, I started to package this application. Everything works fine with a single configuration file.

      However, if I activate the optional administration web page, the static resources (css and js) don't load because of a X-Content-Type-Options: nosniff block which comes from an incorrect MIME type of this served static resources.

      Obviously the issue comes from the Cantaloupe side but is there a workaround on the Cloudron side?

      nebulonN girishG 2 Replies Last reply
      0
      • jeauJ jeau

        After adding Cantaloupe IIIF server to the App Whislist, for fun, I started to package this application. Everything works fine with a single configuration file.

        However, if I activate the optional administration web page, the static resources (css and js) don't load because of a X-Content-Type-Options: nosniff block which comes from an incorrect MIME type of this served static resources.

        Obviously the issue comes from the Cantaloupe side but is there a workaround on the Cloudron side?

        nebulonN Away
        nebulonN Away
        nebulon
        Staff
        wrote on last edited by
        #2

        @jeau I don't think there is a solid non-temporary fix on Cloudron side and as you indicated, this should really be then fixed or patched in the app.

        1 Reply Last reply
        0
        • jeauJ jeau

          After adding Cantaloupe IIIF server to the App Whislist, for fun, I started to package this application. Everything works fine with a single configuration file.

          However, if I activate the optional administration web page, the static resources (css and js) don't load because of a X-Content-Type-Options: nosniff block which comes from an incorrect MIME type of this served static resources.

          Obviously the issue comes from the Cantaloupe side but is there a workaround on the Cloudron side?

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #3

          @jeau A hack is simply to edit the conf file in /etc/nginx/applications/<appid>.conf and then systemctl reload nginx. Of course, this change won't persist but atleast will let you move forward in packaging the app.

          Do you have an upstream issue we can track? Just want to check if there is something we can do on the platform side, because removing it will let the browser start sniffing content and guess mime type which can be a security issue.

          jeauJ 1 Reply Last reply
          1
          • girishG girish

            @jeau A hack is simply to edit the conf file in /etc/nginx/applications/<appid>.conf and then systemctl reload nginx. Of course, this change won't persist but atleast will let you move forward in packaging the app.

            Do you have an upstream issue we can track? Just want to check if there is something we can do on the platform side, because removing it will let the browser start sniffing content and guess mime type which can be a security issue.

            jeauJ Offline
            jeauJ Offline
            jeau
            App Dev
            wrote on last edited by
            #4

            @girish thanks for the hack, it works but as you say it's not a solution.

            I just created an issue on the Cantaloupe github repo https://github.com/cantaloupe-project/cantaloupe/issues/471

            girishG 2 Replies Last reply
            1
            • jeauJ jeau

              @girish thanks for the hack, it works but as you say it's not a solution.

              I just created an issue on the Cantaloupe github repo https://github.com/cantaloupe-project/cantaloupe/issues/471

              girishG Offline
              girishG Offline
              girish
              Staff
              wrote on last edited by
              #5

              @jeau hopefully, it's an easy upstream fix. after all, it's just setting of content-type correctly.

              1 Reply Last reply
              1
              • jeauJ jeau

                @girish thanks for the hack, it works but as you say it's not a solution.

                I just created an issue on the Cantaloupe github repo https://github.com/cantaloupe-project/cantaloupe/issues/471

                girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #6

                @jeau It got fixed already in https://github.com/cantaloupe-project/cantaloupe/commit/cf5be9112ee7ea561c2229ddada7bb94317369c7 , very nice.

                jeauJ 1 Reply Last reply
                0
                • girishG girish

                  @jeau It got fixed already in https://github.com/cantaloupe-project/cantaloupe/commit/cf5be9112ee7ea561c2229ddada7bb94317369c7 , very nice.

                  jeauJ Offline
                  jeauJ Offline
                  jeau
                  App Dev
                  wrote on last edited by
                  #7

                  @girish yes 👍

                  1 Reply Last reply
                  0
                  Reply
                  • Reply as topic
                  Log in to reply
                  • Oldest to Newest
                  • Newest to Oldest
                  • Most Votes


                    • Login

                    • Don't have an account? Register

                    • Login or register to search.
                    • First post
                      Last post
                    0
                    • Categories
                    • Recent
                    • Tags
                    • Popular
                    • Bookmarks
                    • Search