For many years I have successfully included javscript files which are dynamically created.
Here is an example: .php?locs=95
As you can see it loads OK.
I usually put them into the head of my html document like this.
script type="text/javascript" src=".php?locs=95"
/script
In the last few days they have stopped working.
The error message from firefox debugger console is the following.
The resource from “.php?locs=95” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff).
I use a2 web hosting. They must have made some change in configuration to make it stop working.
It may be that I can get over this problem with a line in the .htaccess file.
A2 hosting suggested this line but it does not work. Header always unset X-Frame-Options
The problem only happen when there is a get request. ie ?locs=95
There is no problem with static files.
I tried changing the file name to .js and changed the .htaccess file to parse .js as php but it makes no difference.
For many years I have successfully included javscript files which are dynamically created.
Here is an example: https://granadainfo./sups.php?locs=95
As you can see it loads OK.
I usually put them into the head of my html document like this.
script type="text/javascript" src="https://granadainfo./sups.php?locs=95"
/script
In the last few days they have stopped working.
The error message from firefox debugger console is the following.
The resource from “https://granadainfo./sups.php?locs=95” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff).
I use a2 web hosting. They must have made some change in configuration to make it stop working.
It may be that I can get over this problem with a line in the .htaccess file.
A2 hosting suggested this line but it does not work. Header always unset X-Frame-Options
The problem only happen when there is a get request. ie ?locs=95
There is no problem with static files.
I tried changing the file name to .js and changed the .htaccess file to parse .js as php but it makes no difference.
Share Improve this question edited May 29, 2019 at 11:12 John Coltrane asked May 29, 2019 at 11:10 John ColtraneJohn Coltrane 1111 gold badge1 silver badge6 bronze badges 1- "A2 hosting suggested this line but it does not work. Header always unset X-Frame-Options" — the mind boggles. Why on earth do they thing that would make any difference? – Quentin Commented May 29, 2019 at 11:11
3 Answers
Reset to default 3PHP defaults to Content-Type: text/html. If you aren't serving HTML, then you need to use the header() function to state what you are serving.
<?php
header("Content-Type: application/javascript");
The advanced support of A2 hosting eventually got back to me with a good answer. The following is based on what they said and it does solve the problem.
There is a simple solution.
For security reasons, we recently set "X-Content-Type-Options" to "nosniff" by default on all of our servers. If the option was not manually set in your ".htaccess" file, then the site just defaulted to whatever the server was using (nosniff). This is what was causing the error on the site.
Earlier in this ticket, you were told to unset the "X-Frame-Options" header mistakenly because that option is only for iframes. The actual header you needed to unset was "X-Content-Type-Options".
This is the line to add to the top of your .htaccess file.
Header always unset X-Content-Type-Options
I agree with your answer.
In the end I have changed the filenames to .js and made .js parse with php like this in the .htacess file.
RewriteEngine on
AddHandler application/x-httpd-ea-php56 .php4 .php3 .php .phtml .htm .html .cgi .ics
.js
Then I added this to the top of all the files
header('Content-Type: text/javascript');
It now works.
All efforts to solve the problem with X-Content-Type-Options in the .htacess file failed.