[Question] Getting strange error regarding X-Content-Type-Options: nosniff #99
Comments
|
Mirko, thanks for opening an issue. So... I see this sometimes, but I've never quite figured out what magic combination of browsers and setups causes it. So I hesitate to tell you a cause. What I can say is that it may be because:
^ these are all issues and setups that I've seen. Fundamentally the use of JSONP (https://www.w3schools.com/js/js_json_jsonp.asp) which is what we use since we don't have CORS support in Solr is becoming harder and harder to support as browsers (for good reasons) become more security conscious. What worked a few years ago wonderfully for Splainer is now more error prone. Looking to the future, well one thing we really want is CORS support in Solr. We have old hacks from 2016, https://laurenthinoul.com/how-to-enable-cors-in-solr/ but we need to properly support it in Solr. In lieu of that, one thing is that I made a Solr Package of splainer. This deploys Splainer IN your cluster, which means you avoid the need to use JSONP and CORS... https://github.com/o19s/splainer#splainer-package-for-solr for more information. One thing to be aware, that in Solr 9.3 there was a bug in getting the package manager to talk to Github based repositioties. I fixed the bug, so the upcoming Solr 9.4 will properly deal with it. |
|
Hi @epugh, thank you for your fast response! Indeed, splainer is running on http, and our Solr installation is running in cloud mode over https on GKE, so this might be the security issue. However, as far as I understand the debug trace, splainer creates a <script> tag trying to load the Solr debug response, and wrapping the response with some angular helper functions to parse it. This seems to be easily replaceable with a simple fetch API invocation, as this would help to avoid this while DOM manipulation and CORS/Mime-Type issues. I'd really like to provide a fix here, so where could I start? |
|
Let's see what happens! I'd love a fix to. so there are two projects. This one is the web layer that powers splainer.io, and you can follow https://github.com/o19s/splainer#developing-splainer. The actual logic is in a library https://github.com/o19s/splainer-search... it produces an Node package that is used both by splainer.io and quepid.com apps... I believe it's in there you will want to make changes. already you can override how splainer-serach does queries to solr to be GET instead of JSONP, so maybe you just need to chnage how the webapp works, not totally sure. if you are swapping between the two projects, then check out https://github.com/o19s/splainer#using-docker-compose-to-test-splainer-search-with-splainer. |
|
@mirkosertic let me know if you have some progress.... |
Thank you for this cool project!
I've tried it with our Solr 9.1 installation, but I am getting a JavaScript error regarding X-Content-Type-Options: nosniff and Mime-Type text/plain confliect in the browser console.
Did I miss something? I am really not sure how to debug this issue. If I could track down the root cause, I'd love to submit a PR with a fix!
Thank you,
Mirko
The text was updated successfully, but these errors were encountered: