This article is contributed. See the original author and article here.
The X-Content-Type-Options header is an HTTP header that allows developers to specify that their content should not be MIME-sniffed. This header is designed to mitigate MIME-Sniffing attacks. For each page that could contain user controllable content, you must use the HTTP Header X-Content-Type-Options:nosniff.
Add the below header in the web.config file if the application is hosted by Internet Information Services (IIS) 7 onwards.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name=”X-Content-Type-Options” value=”nosniff”/>
</customHeaders>
</httpProtocol>
</system.webServer>
Please refer to the Link to know more about this particular response header.
The script and styleSheet elements will reject responses with incorrect MIME types if the server sends the response header “X-Content-Type-Options: nosniff”. This is a security feature that helps prevent attacks based on MIME-type confusion. This is been explained in this article.
Recently, I was working on an issue where I was getting below error while calling AJAX functions.
Refused to execute script from ‘http://localhost:8081/ajax/common.ashx’ because its MIME type (‘text/plain’) is not executable, and strict MIME type checking is enabled.
Sample.aspx:1 Refused to execute script from ‘http://localhost:8081/ajax/Ajax_Sample_.Sample,Ajax(Sample).ashx’ because its MIME type (‘text/plain’) is not executable, and strict MIME type checking is enabled.
I see the below code in my application.
<script type="text/javascript" src="/ajax/common.ashx"></script>/ajax/Ajax_Sample_.Sample,Ajax(Sample).ashx
It means that my application is expecting a javascript response from.ashx file but unfortunately, IIS sends the content-type “text/plain” response as it’s a default HTTP handler.
As it would take some time to change the application code and deploy the code to IIS, I added an outbound URL rewrite rule in IIS as a workaround to fix the issue. Below are the steps followed.
- Download and install the URL rewrite module in IIS using https://www.iis.net/downloads/microsoft/url-rewrite
- Add below outbound rule in web.config file inside <system.webServer> tag
<rewrite>
<outboundRules>
<remove name=”Test” />
<rule name=”Test”>
<match serverVariable=”RESPONSE_CONTENT_TYPE” pattern=”text/plain” />
<conditions>
<add input=”{REQUEST_URI}” pattern=”.ashx” />
</conditions>
<action type=”Rewrite” value=”text/javascript” />
</rule>
</outboundRules>
</rewrite>
Note: This is just a workaround to resolve the issue but the permanent solution would be to to change the MIME type in your application code as per the requirement.
Hope this helps :smiling_face_with_smiling_eyes:
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments