Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Professional Edition
-
Google Chrome, Observium 0.16.8.8068
Description
Quite a few years ago a new security feature was introduced called strict MIME type checking, which can be activated by sending the "X-Content-Type-Options: nosniff" header. Almost every tutorial nowadays recommends such a configuration for a secure webserver setup. This will disallow several things, one of them is executing JavaScript code with an invalid Content-Type header.
When a webserver uses this feature, the new frontpage map with Leaflet and OpenStreetMap will break:
Refused to execute script from 'https://<Observium URL>/geo.php' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
|
This can be easily fixed by setting the appropriate Content-Type header in html/geo.php, which is application/javascript in this case. I've attached a simple patch, although it could be discussed where the header() function should be placed - as other parts of the Observium code also do not use it right at the beginning of the file, I decided to put it above the echo statement.