browser console errors after v1.6.0 upgrade



  • Being an early adopter, I upgraded to NodeBB 1.6.0 since I saw it was released. My forums seem pretty borked now. I can get to the main page, but I can't view categories or navigate anywhere in the admin panel. This seems to be tied to some console errors.

    Edit: Link to my site for the curious: https://gamingexodus.com

    Here are the errors when I got to the category page:

    GET https://gamingexodus.com/var/www/nodebb/forums/public/uploads/system/site-logo.png 404 ()
    (index):1 Failed to decode downloaded font: https://fonts.gstatic.com/stats/Roboto/normal/400
    ajaxify.js:334 Unable to load template: modules/taskbar
    (anonymous) @ ajaxify.js:334
    (anonymous) @ require.js:7
    (anonymous) @ require.js:23
    y @ require.js:6
    emit @ require.js:23
    (anonymous) @ require.js:11
    y @ require.js:6
    l @ require.js:11
    onScriptError @ require.js:30
    (index):1 Refused to execute script from 'https://gamingexodus.com/assets/templates/modules/taskbar.jst?v=rhm3bmqm9f0' because its MIME type ('application/octet-stream') is not executable, and strict MIME type checking is enabled.
    require.js:7 Uncaught Error: Script error for "/assets/templates/modules/taskbar.jst"
    http://requirejs.org/docs/errors.html#scripterror
        at F (require.js:7)
        at HTMLScriptElement.onScriptError (require.js:30)
    F @ require.js:7
    onScriptError @ require.js:30
    ajaxify.js:334 Unable to load template: modules/taskbar
    (anonymous) @ ajaxify.js:334
    (anonymous) @ require.js:7
    (anonymous) @ require.js:23
    y @ require.js:6
    emit @ require.js:23
    p @ require.js:12
    (anonymous) @ require.js:12
    y @ require.js:6
    p @ require.js:12
    (anonymous) @ require.js:13
    y @ require.js:6
    d @ require.js:13
    (anonymous) @ require.js:13
    setTimeout (async)
    d @ require.js:13
    (anonymous) @ require.js:13
    setTimeout (async)
    d @ require.js:13
    (anonymous) @ require.js:26
    setTimeout (async)
    (anonymous) @ require.js:32
    c @ require.js:26
    requirejs @ require.js:32
    (anonymous) @ (index):768
    require.js:7 Uncaught Error: Script error for "/assets/templates/modules/taskbar.jst"
    http://requirejs.org/docs/errors.html#scripterror
        at F (require.js:7)
        at HTMLScriptElement.onScriptError (require.js:30)
    F @ require.js:7
    onScriptError @ require.js:30
    setTimeout (async)
    d @ require.js:13
    (anonymous) @ require.js:13
    setTimeout (async)
    d @ require.js:13
    (anonymous) @ require.js:26
    setTimeout (async)
    (anonymous) @ require.js:32
    c @ require.js:26
    requirejs @ require.js:32
    (anonymous) @ (index):768
    /category/1/announcements:1 Refused to execute script from 'https://gamingexodus.com/assets/templates/category.jst?v=rhm3bmqm9f0' because its MIME type ('application/octet-stream') is not executable, and strict MIME type checking is enabled.
    ajaxify.js:334 Unable to load template: category
    (anonymous) @ ajaxify.js:334
    (anonymous) @ require.js:7
    (anonymous) @ require.js:23
    y @ require.js:6
    emit @ require.js:23
    (anonymous) @ require.js:11
    y @ require.js:6
    l @ require.js:11
    onScriptError @ require.js:30
    require.js:7 Uncaught Error: Script error for "/assets/templates/category.jst"
    http://requirejs.org/docs/errors.html#scripterror
        at F (require.js:7)
        at HTMLScriptElement.onScriptError (require.js:30)
    

    Errors from the admin page:

    admin:1 Refused to execute script from 'https://gamingexodus.com/assets/templates/modules/taskbar.jst?v=rhm3bmqm9f0' because its MIME type ('application/octet-stream') is not executable, and strict MIME type checking is enabled.
    ajaxify.js:334 Unable to load template: modules/taskbar
    (anonymous) @ ajaxify.js:334
    require.js:7 Uncaught Error: Script error for "/assets/templates/modules/taskbar.jst"
    http://requirejs.org/docs/errors.html#scripterror
        at F (require.js:7)
        at HTMLScriptElement.onScriptError (require.js:30)
    F @ require.js:7
    onScriptError @ require.js:30
    ajaxify.js:334 Unable to load template: modules/taskbar
    (anonymous) @ ajaxify.js:334
    require.js:7 Uncaught Error: Script error for "/assets/templates/modules/taskbar.jst"
    http://requirejs.org/docs/errors.html#scripterror
        at F (require.js:7)
        at HTMLScriptElement.onScriptError (require.js:30)
    F @ require.js:7
    onScriptError @ require.js:30
    admin/extend/widgets:1 Refused to execute script from 'https://gamingexodus.com/assets/templates/admin/extend/widgets.jst?v=rhm3bmqm9f0' because its MIME type ('application/octet-stream') is not executable, and strict MIME type checking is enabled.
    ajaxify.js:334 Unable to load template: admin/extend/widgets
    (anonymous) @ ajaxify.js:334
    (anonymous) @ require.js:7
    (anonymous) @ require.js:23
    y @ require.js:6
    emit @ require.js:23
    (anonymous) @ require.js:11
    y @ require.js:6
    l @ require.js:11
    onScriptError @ require.js:30
    require.js:7 Uncaught Error: Script error for "/assets/templates/admin/extend/widgets.jst"
    http://requirejs.org/docs/errors.html#scripterror
        at F (require.js:7)
        at HTMLScriptElement.onScriptError (require.js:30)
    F @ require.js:7
    onScriptError @ require.js:30
    

    No errors in the NodeBB log though.



  • @julian

    Something is definitely broken. I disabled some of the security options I have in nginx, hoping it was tied to that, but no luck.

    Any idea why some of these errors are occurring?


  • Admin

    That's a little odd... Are you using CloudFlare or some other CDN?



  • @julian said in browser console errors after v1.6.0 upgrade:

    That's a little odd... Are you using CloudFlare or some other CDN?

    CloudFlare. I cleared the cache on their edge networks. Let me try disabling "the orange cloud".

    I also was wondering if "/assets/templates/modules/taskbar.jst" should be taskbar.js?

    Edit: same error with CloudFlare's special sauce disabled.


  • Admin

    Did you run ./nodebb build after upgrading, just in case?



  • @julian said in browser console errors after v1.6.0 upgrade:

    Did you run ./nodebb build after upgrading, just in case?

    I did do that, hoping it was something getting missed in the build. Still the same issue on my page.


  • Admin

    Just for debugging, try to disable all of your plugins via the command line... Perhaps there's a third party plugin not playing nicely



  • @julian said in browser console errors after v1.6.0 upgrade:

    Just for debugging, try to disable all of your plugins via the command line... Perhaps there's a third party plugin not playing nicely

    Is there a bulk way to do it or is it all manually?



  • I didn't have a ton enabled. I disabled a lot of plugins, and am still seeing the errors.

    It seems like it has something to do with the MIME type for the taskbar.jst, which causes a cascade of failures?


  • Admin

    The main thing is that not happening on any of our environments... Which usually suggests some sort of customisation or configuration could be to blame.

    Nginx config?



  • @julian said in browser console errors after v1.6.0 upgrade:

    The main thing is that not happening on any of our environments... Which usually suggests some sort of customisation or configuration could be to blame.

    Nginx config?

    I commented out the security headers and reloaded nginx, but that didn't seem to change anything.

    # Source of these security headers:
    # https://gist.github.com/plentz/6737338#file-nginx-conf-L6
    # https://observatory.mozilla.org/analyze.html?host=gamingexodus.com
    
    # read more here http://tautt.com/best-nginx-configuration-for-security/
    
    # don't send the nginx version number in error pages and Server header
    server_tokens off;
    
    # Redirect all port 80 requests to https
    server {
        listen 80;
        server_name gamingexodus.com www.gamingexodus.com;
        return 301 https://$host$request_uri;
    }
    
    # Real meat of the server block
    server {
            listen 443 ssl http2;
    
            # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
            # to disable content-type sniffing on some browsers.
            add_header X-Content-Type-Options nosniff;
    
            # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
            # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
            # this particular website if it was disabled by the user.
            add_header X-XSS-Protection "1; mode=block";
    
            # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
            # you can tell the browser that it can only download content from the domains you explicitly allow
            # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
            # https://www.owasp.org/index.php/Content_Security_Policy
            # Use "Content-Security-Policy-Report-Only" to test changes
            add_header Content-Security-Policy "default-src 'self'; connect-src 'self' wss: https://api.github.com https://packages.nodebb.org https://bootswatch.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://iframely.gamingexodus.com https://storage.googleapis.com https://checkout.stripe.com https://s.imgur.com https://www.google.com https://www.gstatic.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com; font-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; child-src https:; object-src 'none'";
    
            # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    
            # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
            ssl_certificate /path/fullchain.pem;
            ssl_certificate_key /path/privkey.pem;
            ssl_session_timeout 1d;
            ssl_session_cache shared:SSL:50m;
            ssl_session_tickets off;
    
            # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
            ssl_dhparam /etc/ssl/certs/dhparam.pem;
    
    
            # intermediate configuration. tweak to your needs.
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
            ssl_prefer_server_ciphers on;
    
            # HSTS (ngx_http_headers_module is required)
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
    
            # OCSP Stapling ---
            # fetch OCSP records from URL in ssl_certificate and cache them
            ssl_stapling on;
            ssl_stapling_verify on;
    
            ## verify chain of trust of OCSP response using Root CA and Intermediate certs
            ssl_trusted_certificate /path/fullchain.pem;
    
            # Hopefully resolve issues with image uploads
            client_max_body_size 20M;
            # Make site accessible from http://localhost/
            server_name gamingexodus.com www.gamingexodus.com;
    
            # Server block from NodeBB config page
    
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
            location @nodebb {
                    proxy_pass http://127.0.0.1:4567;
            }
            location ~ ^/assets/(.*) {
                    root /var/www/nodebb/forums/;
                    try_files /build/public/$1 /public/$1 @nodebb;
            }
            location /plugins/ {
                    root /var/www/nodebb/forums/build/public/;
                    try_files $uri @nodebb;
            }
            location / {
                    proxy_pass http://127.0.0.1:4567;
            }
            location /.well-known {
                    root /var/www/letsencrypt/;
                    allow all;
            }
    }
    

  • Admin

    Try without http2?



  • @julian said in browser console errors after v1.6.0 upgrade:

    Try without http2?

    Same result.

    The MIME type errors are probably the cause. The only thing I can think of is that node is sending the wrong content type for the jst files?


  • Admin

    We'll have to wait for @PitaJ to speak to that



  • @julian said in browser console errors after v1.6.0 upgrade:

    We'll have to wait for @PitaJ to speak to that

    For some reason disabling add_header X-Content-Type-Options nosniff; works now. BUT, why did this change with v1.6.0? I'd greatly prefer to keep that option enabled for security purposes.



  • Ahhhhh, so disabling it in nginx is great and all, but Cloudflare had it on too, so it took a little bit for the changes to propagate once I turned off the Cloudflare proxy.

    Anywho, this seems like a defect to me. There was some change in the MIME settings.


  • Admin

    @teh_g definitely something we should look into, can you send us the issue details on GitHub?


  • Global Moderator

    A better solution for nginx is this, which sets the content type for .jst to application/javascript

    types {
      application/javascript jst;
    }
    

    You can either put this in the /assets... location block if you have one, or just anywhere in the server block.

    I'm working on setting this content type in NodeBB as well, I'm tracking it with this issue: NodeBB/NodeBB#5934



  • @pitaj said in browser console errors after v1.6.0 upgrade:

    A better solution for nginx is this, which sets the content type for .jst to application/javascript

    types {
      application/javascript jst;
    }
    

    You can either put this in the /assets... location block if you have one, or just anywhere in the server block.

    I'm working on setting this content type in NodeBB as well, I'm tracking it with this issue: NodeBB/NodeBB#5934

    Thanks @PitaJ

    Modified the block below to add your suggestion:

            location ~ ^/assets/(.*) {
                    root /var/www/nodebb/forums/;
                    try_files /build/public/$1 /public/$1 @nodebb;
                    types {
                            application/javascript jst;
                    }
            }
    

    It caused a lot of strange display errors. I'll just leave the strict enforcement off for now and wait for the fix to be in NodeBB... It looks like everything is coming down as application/octet-stream?

    Console errors after modifying the assets block:

    Refused to execute script from 'https://gamingexodus.com/assets/nodebb.min.js?v=1g9ivu2ogsa' because its MIME type ('application/octet-stream') is not executable, and strict MIME type checking is enabled.
    (index):1 Refused to execute script from 'https://gamingexodus.com/assets/vendor/jquery/timeago/locales/jquery.timeago.en.js' because its MIME type ('application/octet-stream') is not executable, and strict MIME type checking is enabled.
    (index):23 Resource interpreted as Stylesheet but transferred with MIME type application/octet-stream: "https://gamingexodus.com/assets/stylesheet.css?v=1g9ivu2ogsa".
    (index):46 Resource interpreted as Stylesheet but transferred with MIME type application/octet-stream: "https://gamingexodus.com/plugins/nodebb-plugin-markdown/styles/railscasts.css".
    (index):1087 Uncaught ReferenceError: $ is not defined
        at (index):1087
    (anonymous) @ (index):1087
    (index):1105 Uncaught ReferenceError: define is not defined
        at (index):1105
    (anonymous) @ (index):1105
    (index):1134 Uncaught ReferenceError: require is not defined
        at (index):1134
    (anonymous) @ (index):1134```

  • Admin

    The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

    ... (emphasis mine)

    As @pitaj issued it, we'll track its fix, but as X-Content-Type-Options is not likely to be used extensively, there's no need to prioritise this issue for backport into v1.6.x. However when resolved, you can easily cherry-pick the fix into your existing installation.


Log in to reply
 


Looks like your connection to NodeBB was lost, please wait while we try to reconnect.