C＃ASP X-CONTENT-TYPE-OPTIONS-Internet Explorer不显示PNG文件

Question

In an attempt to better secure our website application after running OWASP ZAP it has been advised to set the header X-CONTENT-TYPE-OPTIONS to NOSNIFF, which I've done.

Since doing that though, any locally hosted PNG files are no longer being displayed on Internet Explorer (various versions), and there is image data in the response (the IE Developer tools will show the image associated with the response).

Having checked the responses, I can see that the MIME type being requested is image/png but the response MIME type is octet-stream.

Figuring this was a problem with known MIME types, during the APPLICATION_BEGINREQUEST phase I tried checking for PNG requests and setting HttpContext.Current.Response.ContentType = "image/png"; but the response still ended up as an octet-stream.

        if (HttpContext.Current.Request.Url.ToString().ToLower().Contains(".png"))
        {
            HttpContext.Current.Response.ContentType = "image/png";
        }

I've also tried modifying the applications web.config to add:

<system.webServer>
  <staticContent>
     <mimeMap fileExtension=".png" mimeType="image/png" />
  </staticContent>
</system.webServer>

...but that didn't change anything either.

I'm guess there must be a solution to this problem, but so far I've not managed to find one!

Does anyone have the solution to this problem?

Thanks in advance!

Answer 1

After a quick check on MIME types on an IIS instance, I decided to go ahead and deploy the application without the web.configuration changes, and without the ContentType code.

Low and behold, everything is being rendered in IE as it should be.

Therefore whatever the problem is, this appears to be an issue with Cassini!

Hopefully this saves someone from any lengthy investigation in the future!