ansell
commented
4 years ago Removing X-Content-Type-Options: nosniff is only a temporary workaround, not a fix. Either Option 2 or Option 3 should be implemented before closing this issue.
Open temi opened 4 years ago
ansell
commented
4 years ago Removing X-Content-Type-Options: nosniff is only a temporary workaround, not a fix. Either Option 2 or Option 3 should be implemented before closing this issue.
nickdos
commented
3 years ago Collections-test is not showing usage stats when pointing to logger-test. I can see the request for a JSONP callback is not being wrapped in the JS method, as expected - its returning normal JSON.
Need to check if the JSONP is being done at app or Nginx level.
EDIT: app previously used the jsonp:0.2 plugin but not in newer Grails 3 version. Therefore need to implement this as a filter/interceptor.
nickdos
commented
3 years ago @Rita-C I think can be done easily with a Grails interceptor. Here's an example with an old-style Filter:
Rita-C
commented
3 years ago Collections-test is not showing usage stats when pointing to logger-test. I can see the request for a JSONP callback is not being wrapped in the JS method, as expected - its returning normal JSON.
Collectory updated, refer to https://github.com/AtlasOfLivingAustralia/collectory-plugin/issues/184
Enabled CORS in logger-service
nickdos
commented
3 years ago Code all good.
nickdos
commented
3 years ago Looks good in test, tried 6 different endpoints and all showed expected headers - see screenshot:
Some endpoints on logger like
service/reasonBreakdown.jsonreturn with response headerContent-Typeset toapplication/json. This happens even for JSONP requests. Browsers are smart to change to the correctContent-Type,application/javascript. However, for security reasons, server can disable auto content-type conversion by settingX-Content-Type-Optionsheader tonosniff. Such requests are rejected by browser. At present, collectory makes the JSONP request to show statistics. This could fail and show no stats. There are a few ways to fix this issue -X-Content-Type-Optionsheader.