Refused to execute script because its MIME type ('application/gzip') is not executable, and strict MIME type checking is enabled

0
votes

I am trying to setup helmet security on my react application production server. But whenever I try hitting the URL. I get an error saying Refused to execute script from 'http://localhost:3000/static/js/app.378bd8b8eee930fb268c.js' because its MIME type ('application/gzip') is not executable, and strict MIME type checking is enabled.

enter image description here

For compression build I am using compression-webpack-plugin.

The compression build is working perfectly fine when I remove the helmet. Helmet Plugin Setting:

{"xssFilter": {"setOnOldIE": true}}
1
javascriptnode.jsreactjsserverhelmet.js
Why are you making XSS verification? I don't get the point there. What are you trying to do? What is http://localhost:3000/static/js/app.378bd8b8eee930fb268c.js supposed to respond?AirOne
@AirOne I am using it to protect my application from X-XSS-ProtectionRajdeep Ratan
As said on helmet doc, XSS Filter doesn't do much. I recommend you to not use helmet but manually set X-XSS Protection header to 1; mode=block instead.AirOne
@AirOne Your idea worked (Y). Thank YouRajdeep Ratan

1 Answers

1
votes

tl;dr: /static/js/app.378bd8b8eee930fb268c.js is being sent with a Content-Type of application/gzip but it should be application/javascript.

Author of Helmet here. This is happening because of the X-Content-Type-Options header, which Helmet automatically sets to nosniff. This tells browsers not to infer the type of the file, and to trust the Content-Type that the server sets.

As you can see in your screenshot, /static/js/app.378bd8b8eee930fb268c.js has a Content-Type of application/gzip. The browser refuses to interpret it as JavaScript because its Content-Type isn't application/javascript—that's the X-Content-Type-Options header in action.

You can fix your problem by fixing that—get your JavaScript files' Content-Types to be application/javascript, not application/gzip.