Invalid content type blocking the browser from loading bundle.js

, , ,
1

When loading the app through a public link and behind CloudFlare using HTTPS, the app is not able to load because of a security feature of most browsers:

The resource from “https://somedomain.com/somesubdomain/bundle.js” was blocked due to MIME type (“text/plain”) mismatch (X-Content-Type-Options: nosniff).

The app does not render and that message above is shown on the console (Firefox). Both Chrome and Firefox were tested. Same behaviour.

Version of Prodigy is 1.9.6

Please. We need this fixed ASAP :pray:

2

Hi! Not sure this is actually an issue with Prodigy – it looks like you might have No-Sniff Headers enabled in Cloudflare that prevents the browser from guessing the MIME type. Disabling that should solve the issue:

It's possible that there are places where Prodigy could set more explicity MIME types – however, you might still run into the same problems for your own custom content in HTML templates etc. if you're setting the no-sniff header.

3

Hello, Ines. Thanks for the reply.

Our company takes security very seriously. We are not disabling a security feature since it may impact our clients and other stakeholders.

Can you provide a patch version of Prodigy responding with application/javascript for that file?

I don't see any other option...

4

Yes, you can update this in the app.py, which is included with Prodigy by updating the endpoint as follows:

from starlette.responses import HTMLResponse, PlainTextResponse, Response

@static.get("/bundle.js")
def static_bundle():
    return Response(JAVASCRIPT, media_type="application/javascript")

We'll also include this by default in the next release.

Just note that there are potential open issues with this feature that may have an impact on the content – see this thread. There's also no reason you'd need to disallow MIME-type sniffing for Prodigy, since you're not hosting anything you don't control (e.g. user uploads).