[英]NGINX: X-Content-Type-Options nosniff results in wrong resource/MIME-types
I get errors like: 我收到如下错误:
10:24:45.375 localhost/:1 Refused to execute script from 'https://localhost/runtime.a66f828dca56eeb90e02.js' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.
10:24:45.390 localhost/:1 Refused to execute script from 'https://localhost/polyfills.2f4a59095805af02bd79.js' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.
10:24:45.391 localhost/:1 Refused to execute script from 'https://localhost/main.4946ee69e21757a0ea38.js' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.
10:24:50.815 localhost/:1 Refused to apply style from 'https://localhost/styles.34c57ab7888ec1573f9c.css' because its MIME type ('text/plain') is not a supported stylesheet MIME type, and strict MIME checking is enabled.
after setting X-Content-Type-Options to nosniff in NGINX. 在NGINX中将X-Content-Type-Options设置为nosniff之后。 I am building Angular (version 6.0.3) like
我正在像构建Angular(版本6.0.3)
"ng build --prod --configuration=production --subresource-integrity"
And the output index.html looks like: 输出的index.html看起来像:
...
<body>
<app-root></app-root>
<script type="text/javascript" src="runtime.a66f828dca56eeb90e02.js" integrity="sha384-v4rB9z5qXuO6U644SALSrNM0l0wvQcniOlRg9Lk3fA3ljnzuAPpETTdOPFjvxVhc" crossorigin="anonymous"></script><script type="text/javascript" src="polyfills.2f4a59095805af02bd79.js" integrity="sha384-ducWBZzn39ArKnKYY70ngb3N7WZhfaMAfPG/AMC1XZcbUcvz0GmT3ymoBXA7KrUt" crossorigin="anonymous"></script><script type="text/javascript" src="main.d28db731850ff9163bb0.js" integrity="sha384-ewBSByvIwZ3px9WtXD5S4GxV8AtRmjlqDY4RS81hPo3D6j1NU3EcB/Hd7zw7KA+4" crossorigin="anonymous"></script></body>
Why is the specified type "text/javascript" instead of "application/javascript"? 为什么指定的类型是“文本/ javascript”而不是“应用程序/ javascript”? And is this mismatch causing the error or something else?
并且这种不匹配是否会导致错误或其他原因? Then why does Chrome report
because its MIME type ('text/plain') is not executable
, detecting a completely different MIME-type than specified? 那么,为什么Chrome
because its MIME type ('text/plain') is not executable
,并且检测到与指定的完全不同的MIME类型,为什么会报告?
BTW I am testing this on localhost with self-signed certs, but theoretically this should not be relevant (?) 顺便说一句,我正在使用自签名证书在localhost上对此进行测试,但是从理论上讲,这应该不相关(?)
When you set X-Content-Type-Options to nosniff you also have to set the allowed types in NGINX. 将X-Content-Type-Options设置为nosniff时,还必须在NGINX中设置允许的类型。 In order to do that you just need to reference their file:
为此,您只需要引用他们的文件即可:
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# ...
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.