I am trying to setup helmet security on my react application production server. But whenever I try hitting the URL. I get an error saying Refused to execute script from 'http://localhost:3000/static/js/app.378bd8b8eee930fb268c.js' because its MIME type ('application/gzip') is not executable, and strict MIME type checking is enabled.
For compression build I am using compression-webpack-plugin
.
The compression build is working perfectly fine when I remove the helmet
. Helmet Plugin Setting:
{"xssFilter": {"setOnOldIE": true}}
tl;dr: /static/js/app.378bd8b8eee930fb268c.js
is being sent with a Content-Type
of application/gzip
but it should be application/javascript
.
Author of Helmet here. This is happening because of the X-Content-Type-Options
header, which Helmet automatically sets to nosniff
. This tells browsers not to infer the type of the file, and to trust the Content-Type
that the server sets.
As you can see in your screenshot, /static/js/app.378bd8b8eee930fb268c.js
has a Content-Type
of application/gzip
. The browser refuses to interpret it as JavaScript because its Content-Type
isn't application/javascript
—that's the X-Content-Type-Options
header in action.
You can fix your problem by fixing that—get your JavaScript files' Content-Type
s to be application/javascript
, not application/gzip
.
Check your Windows registry key.
C:\>reg query HKCR\.js /v "Content Type"
HKEY_CLASSES_ROOT\.js
Content Type REG_SZ text/plain
Update the key as following, it works for me.
C:\>reg add HKCR\.js /v "Content Type" /t REG_SZ /d application/javascript
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.