browser console errors after v1.6.0 upgrade

  • Global Moderator Plugin & Theme Dev

    A better solution for nginx is this, which sets the content type for .jst to application/javascript

    types {
      application/javascript jst;
    }
    

    You can either put this in the /assets... location block if you have one, or just anywhere in the server block.

    I'm working on setting this content type in NodeBB as well, I'm tracking it with this issue: NodeBB/NodeBB#5934

    pitaj created this issue in NodeBB/NodeBB

    closed .jst content-type is incorrect #5934


  • @pitaj said in browser console errors after v1.6.0 upgrade:

    A better solution for nginx is this, which sets the content type for .jst to application/javascript

    types {
      application/javascript jst;
    }
    

    You can either put this in the /assets... location block if you have one, or just anywhere in the server block.

    I'm working on setting this content type in NodeBB as well, I'm tracking it with this issue: NodeBB/NodeBB#5934

    Thanks @PitaJ

    Modified the block below to add your suggestion:

            location ~ ^/assets/(.*) {
                    root /var/www/nodebb/forums/;
                    try_files /build/public/$1 /public/$1 @nodebb;
                    types {
                            application/javascript jst;
                    }
            }
    

    It caused a lot of strange display errors. I'll just leave the strict enforcement off for now and wait for the fix to be in NodeBB... It looks like everything is coming down as application/octet-stream?

    Console errors after modifying the assets block:

    Refused to execute script from 'https://gamingexodus.com/assets/nodebb.min.js?v=1g9ivu2ogsa' because its MIME type ('application/octet-stream') is not executable, and strict MIME type checking is enabled.
    (index):1 Refused to execute script from 'https://gamingexodus.com/assets/vendor/jquery/timeago/locales/jquery.timeago.en.js' because its MIME type ('application/octet-stream') is not executable, and strict MIME type checking is enabled.
    (index):23 Resource interpreted as Stylesheet but transferred with MIME type application/octet-stream: "https://gamingexodus.com/assets/stylesheet.css?v=1g9ivu2ogsa".
    (index):46 Resource interpreted as Stylesheet but transferred with MIME type application/octet-stream: "https://gamingexodus.com/plugins/nodebb-plugin-markdown/styles/railscasts.css".
    (index):1087 Uncaught ReferenceError: $ is not defined
        at (index):1087
    (anonymous) @ (index):1087
    (index):1105 Uncaught ReferenceError: define is not defined
        at (index):1105
    (anonymous) @ (index):1105
    (index):1134 Uncaught ReferenceError: require is not defined
        at (index):1134
    (anonymous) @ (index):1134```
  • GNU/Linux Admin

    The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

    ... :trollface: (emphasis mine)

    As @pitaj issued it, we'll track its fix, but as X-Content-Type-Options is not likely to be used extensively, there's no need to prioritise this issue for backport into v1.6.x. However when resolved, you can easily cherry-pick the fix into your existing installation.

  • Global Moderator Plugin & Theme Dev

    @teh_g I do admit I didn't check if it would work, you probably actually need

    types {
      application/javascript jst js;
      text/css css;
    }
    

  • @julian said in browser console errors after v1.6.0 upgrade:

    The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

    ... :trollface: (emphasis mine)

    As @pitaj issued it, we'll track its fix, but as X-Content-Type-Options is not likely to be used extensively, there's no need to prioritise this issue for backport into v1.6.x. However when resolved, you can easily cherry-pick the fix into your existing installation.

    Totally understand 😄

    I'm super paranoid and like following the theoretical best practices, but as you can see by the content security policy in my nginx config, it isn't always possible. Stupid real world not lining up with my perfect world expectations!

    @pitaj said in browser console errors after v1.6.0 upgrade:

    @teh_g I do admit I didn't check if it would work, you probably actually need

    types {
      application/javascript jst js;
      text/css css;
    }
    

    This mostly works now. The admin page still had some issues, but at least the user section is good! I will keep strict checking disabled for the time being 😉

  • Global Moderator Plugin & Theme Dev

    @teh_g what are the admin issues?


  • @pitaj said in browser console errors after v1.6.0 upgrade:

    @teh_g what are the admin issues?

    I didn't capture the browser console log, but it was more of the MIME type errors. If you don't have a test server where you can toggle on nosniff again, I can capture the errors again later. I don't want to break my forums anymore 😅

    Having the nosniff option disabled fixes it, but I'd definitely love to keep that enabled. It protects against a few malicious attacks that could potentially occur. Though they are unlikely.


  • Issue confirmed - good catch.

    As far as I can see nginx doesn't touch the headers (if not explicitly told to do so) as it's just proxying stuff...

    Update:

    Got around the issue using:

     location ~ \.jst {
                    add_header              Content-Type    application/javascript;
                    proxy_pass              http://board;
            }
    

    Not nice, but for now it's a solution I am able to live with on that vhost even with
    nginx.conf having set add_header X-Content-Type-Options nosniff;


  • I observed the same after updating my board to v1.6.0, yesterday. I decided to cherry pick commit https://github.com/NodeBB/NodeBB/commit/dc87d7fc0f86d282553e40ba0f50d1bd4de9c3c1

    This solved the issue!

    @PitaJ: Thanks for providing this commit!

  • Anime Lovers

    only chrome creating issue other browser working fine please guide?

  • Anime Lovers

    @zaasmi 63c90901-72f0-4138-b31e-d1c6de30b1bd-image.png
    bfc90343-ec62-4d3f-97d6-5d9cec4a16b1-image.png
    Right Top Profile, chat, notification not working
    also not working on Nobebb Community these areas.

  • Global Moderator Plugin & Theme Dev

    @zaasmi are you seeing any errors in the browser developer tools console?

  • Anime Lovers

Suggested Topics

  • 3
  • 4
  • 2
  • 6
  • 11
| |