Skip to main content

Removing "nosniff" headers in Essentials 4.14.4

UPDATE: This has been addressed in the most recent (4.14.5) release of Essentials.

 

Geocortex Essentials 4.14.4 included a security fix that added the following configuration to the web.config file for the Essentials application:

    <httpProtocol>
      <customHeaders>
        <remove name="X-Content-Type-Options" />
        <add name="X-Content-Type-Options" value="nosniff"/>
      </customHeaders>
    </httpProtocol>

This configuration instructs browsers to not "sniff" content, and only accept content that matches its advertised MIME-type, and was intended to stop certain types of malicious use and reduce our impact on security scans.

Unfortunately, there are at least two unintended side effects of this change:

  1. Access tokens for some secured layers are no longer being refreshed properly.  After a period of time, those layers will stop drawing in the viewer, or the user may see a session timeout warning unexpectedly.
    mceclip0.png
    The text on the popup is Warning: Your session is about to expire, and there is a Sign In button.
  2. Custom viewer modules hosted within the Sites folder in a VirtualDirectory do not work, since their content type of text/plain or application/unknown is not application/javacsript. 
    • In the browser console, you may see an error similar to Refused to execute script from <location> because its MIME type ('application/unknown') is not executable, and strict MIME type checking is enabled.

We have reported several bugs in Essentials following customers experiencing the above issues.

We are working towards a further resolution that allows us to prevent MIME-type sniffing but until that is available, we advise removing the X-Content-Type-Options header added at 4.14.4.  This will revert Essentials to the pre-4.14.4 behavior and will allow token refresh and custom modules to work as expected.

The best way to remove the header is by using IIS manager to navigate to the Essentials REST application, and then use the HTTP Response Headers configuration applet to remove the header:

mceclip0.png

The header can also be removed by commenting out or deleting the <customHeaders> XML element in the web.config file for the Essentials REST application.

The default location for this file is:

C:\Program Files (x86)\Latitude Geographics\Geocortex Essentials\Default\REST Elements\REST
 
Editing the web.config file may require elevated privileges. We recommend making a backup before applying your changes!

Related articles

Comments

0 comments

Please sign in to leave a comment.