MIME type mismatch error after enabling the HTTP response header “X-Content-Type-Options”

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

The X-Content-Type-Options header is an HTTP header that allows developers to specify that their content should not be MIME-sniffed. This header is designed to mitigate MIME-Sniffing attacks. For each page that could contain user controllable content, you must use the HTTP Header X-Content-Type-Options:nosniff. 

 

Add the below header in the web.config file if the application is hosted by Internet Information Services (IIS) 7 onwards.

 

<system.webServer>

   <httpProtocol>

     <customHeaders>

      <add name="X-Content-Type-Options" value="nosniff"/>

      </customHeaders>

    </httpProtocol>

</system.webServer>

 

Please refer to the Link to know more about this particular response header. 

 

The script and styleSheet elements will reject responses with incorrect MIME types if the server sends the response header "X-Content-Type-Options: nosniff". This is a security feature that helps prevent attacks based on MIME-type confusion. This is been explained in this article.

 

Recently, I was working on an issue where I was getting below error while calling AJAX functions. 

 

Refused to execute script from 'http://localhost:8081/ajax/common.ashx' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.
Sample.aspx:1 Refused to execute script from 'http://localhost:8081/ajax/Ajax_Sample_.Sample,Ajax(Sample).ashx' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.

 

I see the below code in my application. 

 

<script type="text/javascript" src="/ajax/common.ashx"></script><script type="text/javascript" src="/ajax/Ajax_Sample_.Sample,Ajax(Sample).ashx"></script>

 

It means that my application is expecting a javascript response from.ashx file but unfortunately, IIS sends the content-type “text/plain” response as it’s a default HTTP handler.  

 

As it would take some time to change the application code and deploy the code to IIS, I added an outbound URL rewrite rule in IIS as a workaround to fix the issue. Below are the steps followed. 

 

 

  <rewrite>

            <outboundRules>

                <remove name="Test" />

                <rule name="Test">

                    <match serverVariable="RESPONSE_CONTENT_TYPE" pattern="text/plain" />

                    <conditions>

                        <add input="{REQUEST_URI}" pattern=".ashx" />

                    </conditions>

                    <action type="Rewrite" value="text/javascript" />

                </rule>

            </outboundRules>

        </rewrite>

 

Refer: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-module

 

Note: This is just a workaround to resolve the issue but the permanent solution would be to to change the MIME type in your application code as per the requirement. 

 

Hope this helps :smiling_face_with_smiling_eyes:

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.