Login/Register
Resource blocked due to MIME type mismatch (X-Content-Type-Options: nosniff)
Asked Answered
javascriptmime
F

16

162

I am developing a web page using JavaScript and HTML, everything was working good when I have received this list of errors from my HTML page:

The resource from “https://raw.githubusercontent.com/dataarts/dat.gui/master/build/dat.gui.min.js”
  was blocked due to MIME type mismatch (X-Content-Type-Options: nosniff).
The resource from “https://raw.githubusercontent.com/mrdoob/three.js/dev/build/three.js” was
  blocked due to MIME type mismatch (X-Content-Type-Options: nosniff).
The resource from “https://raw.githubusercontent.com/mrdoob/three.js/master/examples/js/renderers/CanvasRenderer.js”
  was blocked due to MIME type mismatch (X-Content-Type-Options: nosniff).
The resource from “https://raw.githubusercontent.com/mrdoob/three.js/master/examples/js/renderers/Projector.js”
  was blocked due to MIME type mismatch (X-Content-Type-Options: nosniff).
The resource from “https://raw.githubusercontent.com/mrdoob/three.js/dev/build/three.js” was
  blocked due to MIME type mismatch (X-Content-Type-Options: nosniff).

These errors appeared after an automatic browser update (Mozilla Firefox), may be something has been changed in the set up. Do you know any way to solve this problem?

Felicific answered 21/11, 2016 at 20:14 Comment(1)
Don't load files from GitHub. Instead, use a CDN.Snuffer
K
116

Check if the file path is correct and the file exists - in my case that was the issue - as I fixed it, the error disappeared

Kinematics answered 25/12, 2016 at 8:56 Comment(3)
I'm also facing the same issue and file is also not there in pub directory. What should I do? Its a custom theme file.Vet
@SaiidatRLTSquare if file does not exist you should find from somewhere and put it there - or if that file is not important - just remove the line that includes it (or create empty file) so it will not give an errorKinematics
Using Passenger with Node threw my build paths off, updating the paths fixed it. Thank you!Albumenize
S
47

This can be fixed by changing your URL to use a mirror/proxy. Instead of using GitHub:

https://raw.githubusercontent.com/svnpenn/bm/master/yt-dl/yt-dl.js
Content-Type: text/plain; charset=utf-8

Use a third-party cache:

https://cdn.rawgit.com/svnpenn/bm/master/yt-dl/yt-dl.js
content-type: application/javascript;charset=utf-8

-- 2024 UPDATE --

rawgit.com was a caching proxy service for GitHub that has shut down since 2018. See its FAQ

The suggested alternative would be to use jsDelivr. In the examples above, the URL would now look like this

https://cdn.jsdelivr.net/gh/svnpenn/bm/master/yt-dl/yt-dl.js
Syllabogram answered 24/12, 2016 at 1:7 Comment(3)
In the addess raw.githubusercontent.com is replaced by cdn.rawgit.com which will respond with the correct mime-type.Indicator
rawgit is shutting down. you can use jsdeliver as explained in following answer - https://mcmap.net/q/149912/-resource-blocked-due-to-mime-type-mismatch-x-content-type-options-nosniffCognac
@MayankKumarChaudhari very good point - I updated the answer to include a jsDeliver example.Loudish
P
38

We started facing this error in production after our devops team changed the webserver configuration by adding X-Content-Type-Options: nosniff. Now, due to this, browser was forced to interpret the resources as it was mentioned in content-type parameter of response headers.

Now, from the beginning, our application server was explicitly setting content-type of the js files as text/plain. Since, X-Content-Type-Options: nosniff was not set in webserver, browser was automatically interpreting the js files as JavaScript files although the content-type was mentioned as text/plain. This is called as MIME-sniffing. Now, after setting X-Content-Type-Options: nosniff, browser was forced to not do the MIME-sniffing and take the content-type as mentioned in response headers. Due to this, it did interpret js files as plain text files and denied to execute them or blocked them. The same is shown in your errors.

Solution: is to make your server set the content-type of JS files as 

application/javascript;charset=utf-8

This way, it will load all JS files normally and issue will get resolved.

Precipitant answered 30/10, 2018 at 10:42 Comment(4)
Where i need to set the server content-type, I mean which file i need to keep, I am using tomcat 8.5 serverDonell
It all depends on application architecture. In our case, it was a plain old servlet based monolith application. Hence, it was getting set right there in service method.Precipitant
What about changing the HTML instead?Eichhorn
Sorry. I didn't get you. Here, there was no html. We had servlet based application. What change are you suggesting in html?Precipitant
C
14

check your path ,this error will come if file was not exist into given path.

Cattleya answered 14/7, 2017 at 12:58 Comment(0)
B
14

Are you using express?

Check your path(note the "/" after /public/): 

app.use(express.static(__dirname + "/public/"));

//note: you do not need the "/" before "css" because its already included above:

rel="stylesheet" href="css/style.css

Hope this helps

Blab answered 6/10, 2017 at 17:20 Comment(0)
F
7

It might be a wrong path. Ensure in your main app file you have: 

app.use(express.static(path.join(__dirname,"public")));

Example link to your css as:

<link href="/css/clean-blog.min.css" rel="stylesheet">

similar for link to js files:

<script src="/js/clean-blog.min.js"></script>
Fated answered 28/5, 2019 at 13:37 Comment(0)
P
5

For Wordpress

In my case i just missed the slash "/" after get_template_directory_uri() so resulted / generated path was wrong:

My Wrong code :

wp_enqueue_script( 'retina-js', get_template_directory_uri().'js/retina.min.js' );

My Corrected Code :

wp_enqueue_script( 'retina-js', get_template_directory_uri().'/js/retina.min.js' );
Penis answered 6/7, 2017 at 13:4 Comment(0)
F
4

This might be because the browser cannot access a file. I stumbled with this type of error when creating application with node.js. You can try to directly request the script file (copying and pasting url) and see if you can retrieve it. You can see then what the real problem is. It can be because of permission of folder in which the file is located, or browser just cannot find it due to incorrect path to it. In node.js, after specifying route to file, all works.

Fromm answered 26/4, 2017 at 9:53 Comment(2)
According to this MS page it seem to be a MIME type problem. But how would do specify MIME type in Node.js? (One should not have to specify full paths to all files, but only to the assets directories, no?)Purdah
@Purdah got the same problem. ideas?Tem
C
2

I've solved this problem by changing charset in js-files from UTF-8 without BOM to simple UTF-8 in Notepad++

Cnidus answered 6/5, 2017 at 14:47 Comment(0)
H
1

I had this error when i was using the azure storage as a static website, the js files that are copied had the content type as text/plain; charset=utf-8 and i changed the content type to application/javascript

It started working.

Hormuz answered 2/4, 2020 at 10:56 Comment(0)
B
1

It happened to me for wrong tag. By mistake I add the js file in link tag.

Example: (The Wrong One)

<link rel="stylesheet" href="plugins/timepicker/bootstrap-timepicker.min.js">

It solved by using the correct tag for javascript. Example:

<script src="plugins/timepicker/bootstrap-timepicker.min.js"></script>
Bossy answered 7/9, 2020 at 20:51 Comment(0)
I
1

I got this error in a Vue 3 application after updating Vite from v2.9.9 to v4.1.4.

It was solved after I cleared the cache in Firefox (How to clear the Firefox cache)

Informer answered 29/3, 2023 at 7:16 Comment(0)
W
0

See for the protocols HTTPS and HTTP

Sometimes if you are using mixed protocols [this happens mostly with JSONP callbacks ] you can end up in this ERROR.

Make sure both the web-page and the resource page have the same HTTP protocols.

Wat answered 23/8, 2018 at 7:32 Comment(0)
C
0

I got this problem, when having a function name in the url parameters (firefox 68).

E.g. https://.../test.html?concat() where test.html is

<!DOCTYPE html>
<html>
<script src="https://unpkg.com/mathjs/lib/browser/math.js"></script>
</html>

concat is a function in math.js.

I have no idea, why it happens at all. And it occurs least for this function, while some other functions have no effect.

A space between concat and the parenthesis https://.../test.html?concat () solves the problem.

Collin answered 2/6, 2022 at 8:53 Comment(0)
I
0

app.static() does not preserve the file directory. For example: If you use app.static('static/') and link to the file as <script src="/static/code.js"></script> then the file will not be found as it is looking in the long place. Changing the code to <script src="code.js"></script> solved the problem for me

Infatuated answered 4/2, 2023 at 14:9 Comment(1)
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.Trailer
A
-2

i also facing this same problem in django server.So i changed DEBUG = True in settings.py file its working

Audio answered 25/6, 2020 at 5:19 Comment(1)
Should not do this on a production serverMelamie

© 2022 - 2024 — McMap. All rights reserved.