Re: Issue 180007 in chromium: Strict MIME type checking prevents JavaScript served as 'text/plain' from executing.

[chro...@googlecode.com]

Updates:
Status: Untriaged
Cc: nyerrami...@chromium.org
Labels: -Pri-2 -Type-Bug Pri-1 Type-Regression Mstone-27 Area-WebKit

Comment #4 on issue 180007 by nyerrami...@chromium.org: Strict MIME type
checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Tested with URL 'http://lxe.co/strict-mime.html' - Able to repro this issue
on Macbook pro 10.8.2 with canary 27.0.1429.0,Dev 27.0.1425.0

Bisect info :

You are probably looking for a change made after 182110 (known good), but
no later than 182122 (first known bad).
WEBKIT CHANGELOG URL:

http://trac.webkit.org/log/trunk/?rev=142684&stop_rev=142637&verbose=on&limit=10000
CHANGELOG URL:

http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog.html?url=/trunk/src&range=182110%3A182122


--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #5 on issue 180007 by engines...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

ubuntu 12.10 with Chrome Dev 27.0.1425.0 also has this bug

need fix asap!

[chro...@googlecode.com]

Comment #6 on issue 180007 by l...@lxe.co: Strict MIME type checking

prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

I think the strict type checking should only be enabled
if 'X-Content-Type-Options: nosniff' is set, and not by default.

http://trac.webkit.org/browser/trunk?rev=142683

[chro...@googlecode.com]

Comment #7 on issue 180007 by l...@lxe.co: Strict MIME type checking

prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

I think the strict type checking should only be enabled
if 'X-Content-Type-Options: nosniff' is set, and not by default.

[chro...@googlecode.com]

Comment #9 on issue 180007 by sas...@tape.io: Strict MIME type checking

prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Can confirm for Mac OSX 10.8.2 / Chrome Version 27.0.1425.0 dev ...

This breaks a lot of pages, for example those which load js files from
github.

[chro...@googlecode.com]

Updates:
Cc: scarybea...@gmail.com tse...@chromium.org

Comment #11 on issue 180007 by mk...@chromium.org: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

GitHub does in fact serve assets from `raw.github.org` with a
`X-Content-Type-Options: nosniff` header. Chrome matches the behavior of
IE8, 9, and 10 on this page, and Gecko will match if/when they fix
https://bugzilla.mozilla.org/show_bug.cgi?id=471020.

I've had conversations with GitHub folks about this issue in particular;
they don't actually want folks serving files from raw.github.org, which is
why they serve resources with the 'nosniff' header. They'd prefer that you
set up something on GitHub Pages.

If we want this security feature, and I believe we do, this is an expected
consequence.

[chro...@googlecode.com]

Comment #12 on issue 180007 by l...@lxe.co: Strict MIME type checking

prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Sorry guys, looks as though I didn't examine the headers completely. I used
the Chrome development console, which possibly omits all of the header info.

< HTTP/1.1 200 OK
< Date: Wed, 06 Mar 2013 16:32:12 GMT
< Server: GitHub.com
< Content-Type: text/plain; charset=utf-8
< Status: 200 OK
< X-RateLimit-Limit: 100
< X-RateLimit-Remaining: 100
< X-Frame-Options: deny
< X-Content-Type-Options: nosniff
< Content-Disposition: inline
< Content-Transfer-Encoding: binary
< X-Runtime: 15
< ETag: "b58e92aa7a78de6439385c19e58a95a0"
< Via: 1.1 varnish
< Content-Length: 69641
< Accept-Ranges: bytes
< Via: 1.1 varnish
< Age: 0
< X-Served-By: cache-v25-ASH
< X-Cache: MISS
< X-Cache-Hits: 0
< Vary: Accept-Encoding
< Cache-Control: private

There is indeed a 'X-Content-Type-Options: nosniff' header. In that case,
this issue is invalid.

[chro...@googlecode.com]

Comment #13 on issue 180007 by l...@lxe.co: Strict MIME type checking

prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Sorry guys, looks as though I didn't examine the headers completely. I used

the Chrome development console, which possibly omits some of the headers.

[chro...@googlecode.com]

Updates:
Status: WontFix

Comment #14 on issue 180007 by mk...@chromium.org: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Thanks for taking another look!

I'm closing this out as WontFix, but I do think we need to fairly closely
monitor whether or not this change breaks more of the web than we expect it
to. If you see related errors, please do let us know.

[chro...@googlecode.com]

Comment #15 on issue 180007 by bpphillips: Strict MIME type checking

prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

It seems to break gchat inside google plus as
https://talkgadget.google.com/talkgadget/js?name=lite&am=!fBmxK3Da63kJhSKU-I8&ver=RrS9crbocm0.lo.en..&jsmode=lo.en..&zd=qc
has a content-type of text/plain

[chro...@googlecode.com]

Comment #16 on issue 180007 by mgrasso...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Is there a way to temporarily disable strict type checking? I get why
github wants to discourage this practice but it's really useful when you're
trying to reference a specific commit in a jsfiddle...

[chro...@googlecode.com]

Comment #22 on issue 180007 by starbeam...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

This bug has a release block of beta but this bug is currently present in
Chrome OS beta.

[chro...@googlecode.com]

Updates:
Labels: -ReleaseBlock-Beta

Comment #23 on issue 180007 by mk...@chromium.org: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

This behavior is working as intended, as discussed above. Dropping the
release blocking flag for clarity, thanks for the heads up.

[chro...@googlecode.com]

Comment #24 on issue 180007 by mk...@chromium.org: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Issue 232327 has been merged into this issue.

[chro...@googlecode.com]

Comment #25 on issue 180007 by mrdejon...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

If you really want to get files from github, or any other page that gives
X-Content-Type-Options: nosniff. You can use this peace of code:
'''
<?php

$lessjs =
file_get_contents("https://raw.github.com/cloudhead/less.js/master/dist/less-1.3.3.min.js");

header("Content-Type: text/javascript");
print($lessjs);
'''

[chro...@googlecode.com]

Comment #26 on issue 180007 by mat...@qiwi.be: Strict MIME type checking

prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

An online service that does what comment #25 suggests is
<http://rawgithub.com/>.

[chro...@googlecode.com]

Comment #27 on issue 180007 by inna...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Refused to execute script
from 'https://code.google.com/apis/youtube/dashboard/gwt/com.google.youtube.frontend.partner.ui.client.DeveloperApp.nocache.js'
because its MIME type ('text/html') is not executable, and strict MIME type
checking is enabled. index.html:1

Whitch is from link
https://code.google.com/apis/youtube/dashboard/gwt/index.html
Strange, it's google's site)

[chro...@googlecode.com]

Comment #28 on issue 180007 by lostuse...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

I have the issue with local resources using as:
<script type="text/javascript" src="/res/js/util.js"></script>
I got message:
Refused to execute script from 'http://localserver/res/js/util.js' because
its MIME type ('application/octet-stream') is not executable, and strict

MIME type checking is enabled.

IE 8 & 9 working good.

[chro...@googlecode.com]

Comment #29 on issue 180007 by da...@42andpark.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

If I were king of the Chrominauts, I would have:

* Made this optional - strict MIME type enforcement or not, at the user's
discretion.
* If not strict, show a warning message

[chro...@googlecode.com]

Comment #30 on issue 180007 by da...@42andpark.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

I guess I can't edit my past comment... Just wanted to add that this broke
our site. Don't get me wrong, I'm glad to set the correct MIME type from
our server for JavaScript files (and everything else too). It was just
inconvenient that we were suddenly forced to do this.

[chro...@googlecode.com]

Comment #31 on issue 180007 by vmakh...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

I think this should be optional

[chro...@googlecode.com]

Comment #32 on issue 180007 by starbeam...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

But on by default I think

[chro...@googlecode.com]

Comment #37 on issue 180007 by aba...@chromium.org: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

> The rule also applies to local (file://) content without any HTTP header.

Would you be willing to file a separate bug about that? That sounds like
something we want to fix.

[chro...@googlecode.com]

Comment #38 on issue 180007 by pierre...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Thanks, I mean will this be an option which I can toggle in
Chrome/Chromium settings.

[chro...@googlecode.com]

Comment #39 on issue 180007 by aba...@chromium.org: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

> Thanks, I mean will this be an option which I can toggle in
> Chrome/Chromium settings.

It's very unlikely we would add such an option.

[chro...@googlecode.com]

Comment #40 on issue 180007 by starbeam...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

Would a command line flag be better?

[chro...@googlecode.com]

Comment #41 on issue 180007 by aba...@chromium.org: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

> Would a command line flag be better?

No.

[chro...@googlecode.com]

Comment #42 on issue 180007 by heavy.l...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

I request this to be open again, users should have control over their
browser and should be free to execute the scripts if explicitly asked.

[chro...@googlecode.com]

Comment #43 on issue 180007 by starbeam...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

@heavy.l..... I agree - I would like to use a browser that I have full
control over.

[chro...@googlecode.com]

Comment #45 on issue 180007 by michaelh...@gmail.com: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

I'd like something to disable this as well. I don't use github scripts on
my website, but I use it for something entirely different: bookmarklets for
use on IRCCloud (https://www.irccloud.com). Specifically, I used a script
hosted on github's gist service to grab my "now playing" song from Last.fm,
and then look up the song information on Spotify, and then post the song
info along with a spotify URI in the channel.

It's a bummer that github wants to act that way, but I think that users
should have the right to override something their own browser is doing. A
setting like this doesn't even have to be in chrome://settings. It could be
in a much lower end area. I personally don't mind having a command line
flag, but I think this is too extreme.

For the past 3 weeks I've been trying to figure out what happened to my
song scripts, and I finally found this issue report that describes exactly
what I see. Amazing to see that most, if not all, of this is connected to
github.

For my use case, it makes no sense for me to make a github pages website,
just to host a script that I use as a bookmarklet.

Chrome devs, please take this feedback and consider it. It's very sad that
I have to now figure out something else for my bookmarklet scripts. Having
a client side way to enable this feature would be very (and I mean very)
much appreciated.

[chro...@googlecode.com]

Updates:
Cc: -aba...@chromium.org

Comment #48 on issue 180007 by aba...@chromium.org: Strict MIME type

checking prevents JavaScript served as 'text/plain' from executing.
http://code.google.com/p/chromium/issues/detail?id=180007

(No comment was entered for this change.)