Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Smart GWT application error in script execution (DataSoucreLoader) : its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.

    Hi Team,

    Problem headline :-
    Recently we are facing one error in our smart GWT application launch because of newly added strict MIME type checking enabled at server configuration side.

    Problem statement :
    Whenever we are trying to launch the smart GWT application, it is throwing the below error at initial script execution level -

    Refused to execute script from 'https://10.112.85.154/Bulkuserprovisioning/bulkuserprovisioning/sc/DataSourceLoader?dataSource=bupGridDMI,roleDMI,fileUploadDMI,sasErrorsDMI,%20pingDMI,%20currentUserDMI'because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.

    Our analysis statement:
    When we have tried to investigate the same error, we found that the error has started to occurs after the strict MIME type checking enablement at server configuration side. So it is refusing the smart GWT reponse format application/json because the request MiME type is mismatching with response MiME type. Let me try to explain our code a bit as below.

    We have one main html page in our application where we have added DataSource binding in the below script tag :

    <!-- Datasource binding -->
    <script src="bulkuserprovisioning/sc/DataSourceLoader?dataSource=bupGridDMI,roleDMI,fileUploadDMI,sasErrorsDMI, pingDMI, currentUserDMI"></script>

    Our further investigation says we are not defining any content type here while calling DataSource in above script tag, hence the response from GWT application which is in application'json format always is having MiME type mismatching. However we have also tried different ways to provide the content type as application/json in above script calling tag but not succeed to resolve the same issue.

    We are currently using SDK version 2.0. Can you please help us to find the ways to override the content type in smart GWT framework ?

    Tags: None
    #2
    Simply turn off strict mime type checking. It would break a lot of apps and doesn’t provide a clear benefit.

    Comment

      #3
      This MiME type checking we have enabled in our security enhancement process. Below is the reason of same.

      X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type.

      That is why we can't turn off the strict mime type checking. Request you to please suggest some solution at application code base side.

      Comment

        #4
        Again, simply turn it off. This isn't an effective security measure, and we are forced in a variety of circumstances to execute content marked as application/json due to browser bugs.

        By using this setting, you are creating problems for yourself with no plausible benefit.

        Comment

          #5
          We tried all below possible resolution in codebase, bot not able to resolve the issue:

          1. Filter : In case of Filter of Servlet API and tried to change the content-type of the request.
          2. Explicitly giving the content-type in the view : Here we tried to give content-type in html itself that also not worked.
          3. For the transform request : We created a Anonymous DataSource and implemented the transform Request method but was not able to call that method.
          4. Tag name change : Tried with removing the strictJSON tag from the reference.xm & added useStrictJSON in file DataSource.ds.xml

          Comment

            #6
            A filter servlet would be able to change the content-type, the rest of your approaches are nonsensical.

            Again, the solution is simple: turn this useless setting off. This is only the first of several problems you are creating for yourself. This one could be solved with a filter servlet, but there are others we are aware of which you will not be able to solve, no matter what you do, because of the way we work around obscure browsers bugs.

            Comment

              #7
              We have tried with filter servlet in attached manner. Please have a look into attached filter servlet file.

              But still we receive same response as below -

              Response Content Type application/json; charset=UTF-8

              It means it is not overrides with content type as application/javascript, which we are trying to set in filter servlet. Please verify and let us know what wrong we are doing in filter servlet approach.



              Attached Files

              Comment

                #8
                Hi Again,

                We would like to continue on this thread again and here we need support from your side urgently.

                Reading the previous threads and problem statements again the suggestion provided is to turn off strict mime type. But, here OS runs multiple apps and this security check is applicable for all apps, it can't be undone/turn off for one app. All other web apps are working fine even with strict mime type enable except for the app running smartclient GWT component. So we are looking for solution within this framework.

                Continuing on the filter approach suggested above to resolve this issue, I think there is problem with this approach as well. The 'Response' object prepared by GWT framework has content type as "applicaiton/json", the issue appears to be with the 'Request' object prepared when call is made to dataSourceLoader using the following statement " <SCRIPT SRC=isomorphic/DataSourceLoader?dataSource=supplyItem,employees,worldDS</SCRIPT>".

                With this call the content type send is blank or null. Due to mismatch of content type (where request has null and response has 'application/json') we are getting this issue where grid pane is not loading.
                We think if there is a way to set content type in this loader object, then this issue might get resolved.
                Please suggest how to proceed and if you have any other suggestions or views to resolve this issue then please suggest the same.

                Thanks.

                Comment

                  #9
                  Strict mime type checking is not a default setting. Turning it off is still the correct solution.

                  Now you've gotten to an even more ridiculous place: that's standard HTML script tag. SmartGWT has absolutely nothing to do with it at all. If that were truly the issue, then no HTML page with a script tag could execute on your machine, so your claim that other web apps work fine would have to be false (all web applications used script tags). That is not the problem.

                  So again, you could waste your time using a filter servlet to change the server-side mime type, or you could simply disable the useless security setting, which does not protect against any realistic attacks but is wasting a lot of your time.

                  Comment

                    #10
                    Hi, I have had the same problem in my application. The solution that worked for me was to introduce the contenttype in the struts 2 configuration.

                    <result type="json">
                    <param name="contentType">application/javascript;charset=ISO-8859-1</param>

                    Comment

                    Previous template Next
                    Working...
                    X