Apply information security header: X-Content-Type-Options:nosniff File Upload not work

Offline Duke 4 months ago

Dear All,

         Apply information security header: X-Content-Type-Options:nosniff   File Upload not work

My Env description as follows:

        1. IIS 10

        2. Aras Innovator 11Sp12

Error Message:

Refused to execute script from 'localhost/.../include.aspx

Because its MINE type ('text/css') is not executable, and strict MIME type checking is enabled.

How to resolve the issue?

Parents

0 AngelaIp 4 months ago

Hi Duke,

please do not double post. If something is urgent, just write that is it urgent :-).

Where does the error message appear? Do you get it as pop-up when you try to upload a file?

Do you have a brand new installation? If yes, is Vault configured correctly in code tree and database?

Or does the error appear in an existing installation? In this case, does the error message only appear for CSS files? There are some mime type related settings in VaultServer\web.config which may have some influence. The error message somehow indicates, that Innovator want to execute the CSS file, but the browser does not allow it. In this case you could try a custom case for css in the web.config.

But I am just guessing! Let me know if anything of these tips were helpful!

Angela
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Offline Duke 4 months ago in reply to AngelaIp

Dear AngelaIp,

some your provide related question to reply~

Q1. Where does the error message appear?

==> from Google Chrome browser console screen.

Q2. Do you get it as pop-up when you try to upload a file?

==> try to upload a file, just always waiting!

Q3. Do you have a brand new installation?

==> No

Q4. does the error appear in an existing installation?

==> Before add security header, that is ok!

Q5. There are some mime type related settings in VaultServer\web.config which may have some influence.

==> It is include.aspx generate error!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 AngelaIp 4 months ago in reply to Duke

Does the error message appear for all file types? What do you try to upload? txt, cad, xml, xls?

Do you upload with the regular file picker or via Rest API?

==> Before add security header, that is ok! --> This one is a bit unclear. Have you modified security headers in IIS?

Don´t be confused bei include.apsx error. That´s a general page. Error is caused probably by something else.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Offline Duke 4 months ago in reply to AngelaIp

Dear AngelaIp,

Just try to upload txt file by regular file picker.

Before add security header, this is ok! i has modified security headers in IIS.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Offline Duke 4 months ago in reply to AngelaIp

Dear Anglealp,

i attached error message file ~

So, i has reason believe the program about include.aspx has information security bug.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 AngelaIp 4 months ago in reply to Duke

Why have you modified the security headers in the first place? Do you use a Innovator in a DMZ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Offline Duke 4 months ago in reply to AngelaIp

Cause Security Company using software scan Web site, So must maintain the web site security level.

Not use innovator in DMZ, Just intranet.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Offline Duke 4 months ago in reply to AngelaIp

Cause Security Company using software scan Web site, So must maintain the web site security level.

Not use innovator in DMZ, Just intranet.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data