X-Content-Type-Options header blocks h5p scripts because of wrong MIME type
Submitted by cm141 on Thu, 05/17/2018 - 17:38
- After adding X-Content-Type-Options header with the nosniff option, scripts from the h5p plugin were blocked because of wrong MIME types
- Wordpress 4.9.5
- Chrome, Firefox
- H5P plugin Version 1.10.1
- InteractiveVideo 1.17
- Browser console errors:
Loading failed for the <script> with source “.../files/h5p/cachedassets/995b0307c8eeea52e64f45853a0ad7a842695b3d.js”.
Unable to find constructor for: H5P.InteractiveVideo 1.17 h5p.js:861:5
TypeError: instance is undefined
Refused to execute script from '.../files/h5p/cachedassets/7de4395….js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled
It seems that the h5p plugin doesn't work with my newly added X-Content-Type-Options header. I dont know if my webserver is misconfigured or the problem lies with h5p itself. Help would be much appreciated.
Wed, 05/23/2018 - 11:20
Your web server isn't sending
Your web server isn't sending the correct "Content-Type: ..." header.
Note that some "security" plugins may generate this file for you in the uploads folder where they deny access to .js files or their mime type as a precaution.
You can double check the content type header using online tools or the command line tool curl -I http://yourdomain/file.js
Thu, 05/24/2018 - 08:34
wrong mime type
I'm facing the same problem as "cm141" but on my installation (multisite blog) it says it's a "image/js" mime type.
I'm pretty sure it's not a problem of missconfiguration as any other js files are delivered correctly and the mime type settings on the server are correct. Any other ideas?
Thu, 05/24/2018 - 14:33
There is no PHP or plugin
There is no PHP or plugin code running in between the web server and the file on the disk. The web server is the one checking the file extension and sending the content type header + the file to the client. I am pretty certain that your web servers are misconfigured, please double check all configuration and .htaccess files in parent directories.
Fri, 06/01/2018 - 15:31
I have done a few tests to find out more.
Setting define('H5P_DISABLE_AGGREGATION', true); has shown that scripts from the libraries in wp-content/blogs.dir/blogname/files/... get served with wrong headers, while scripts from wp-content/plugins/h5p/... are served correctly.
in the server block did nothing.
Wed, 06/06/2018 - 14:04
I just did the update to 1.10.2 and we are still facing the same problem.
I also tripple-checked the settings on the server down to the cachedasset folder and it looks good to me (see attached screenshot).
Thu, 06/07/2018 - 14:22
Hi, could you please verify
Hi, could you please verify the header using a tool like cURL? E.g.
Or you can use an online tool like this:
Just enter the URL that is failing and you should see the Content-Type header returned by your web server.
Tue, 06/12/2018 - 14:36
curl -I https://mysite/blogname/files/h5p/libraries/H5P.InteractiveVideo-1.17/di... 2>/dev/null |grep -Fi Content-Type
Firefox network monitor
Content-Security-Policy-Report-Only default-src 'self' https://sec…a:; report-uri /csp-report.php
Date Tue, 12 Jun 2018 12:15:09 GMT
Expires Thu, 12 Aug 2021 22:01:49 GMT
Last-Modified Mon, 13 Nov 2017 10:59:24 GMT
X-XSS-Protection 1; mode=block
Tue, 06/12/2018 - 15:54
Found the problem
To pascalCH, maybe you have a similar problem. Because if ms-files.php cant find a MIME type, it does the following:
$mimetype = 'image/' . substr( $file, strrpos( $file, '.' ) + 1 );
header( 'Content-Type: ' . $mimetype );
So you could get "image/js".
Tue, 06/12/2018 - 16:26
Ah, thank you for sharing. I
Ah, thank you for sharing. I have not heard about this before.
Fri, 06/15/2018 - 07:50
Thank you cm141! This fixed the problem on my wordpress installation as well.
The downside is, we now have a manually patched wordpress-installation. I tried to move the fix to the function.php file in my theme, but I was not successfull with this.
Mon, 06/18/2018 - 14:28
Considering that my wp
I also tested that users still can't upload js. So it would seem that wp is still secure in that aspect, even with the modification. That means I am leaving things as they are instead of trying to get rid of ms-files.php.
For everyone having problems with ms-files and wanting to get rid of it: https://halfelf.org/2012/dumping-ms-files/
Fair warning, this doesn't seem to be trivial.
Tue, 06/19/2018 - 09:25
Hi cm141,Once again thank you
Once again thank you for sharing this, we really appreciate it :-)