Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Opt-out solution: Mime-type conflict nosniff #19889

Closed
utrautmann opened this issue Oct 19, 2022 · 5 comments
Closed

New Opt-out solution: Mime-type conflict nosniff #19889

utrautmann opened this issue Oct 19, 2022 · 5 comments
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users.

Comments

@utrautmann
Copy link

Usage: Matomo Version 4.12.1 and new opt-out script without iframe (#17452).

Most websites have set the HTTP-Header x-content-type-options : nosniff.

In the case of this setting the new opt-out script is not working:
The browser console is logging "ressource is blocked because of MIME-Typ-conflict ("text/html")".

The behaviour occurs when I am use the Matomo tracker code snippet to set the opt-out.
The second snippet (self contained code) is working.

I don't know now if it's a bug or more of a documentation issue.
@utrautmann utrautmann added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label Oct 19, 2022
@bx80
Copy link
Contributor

bx80 commented Oct 27, 2022

Thanks for reporting this @utrautmann,

I've unsuccessfully tried to recreate this issue by enabling the HTTP-Header x-content-type-options : nosniff header locally and testing the tracker opt-out in Firefox and Chrome, but I didn't encounter any errors. From the console message you are seeing it sounds like the opt-out script is being sent with the content type "text/html" but in my tests it is "application/javascript; charset=utf-8".

If you can still create the issue, could you please check the content type request header of the index.php?module=CoreAdminHome&action=optOutJS..... network request to see if it is 'text/html' or 'application/javascript; charset=utf-8'?

@bx80 bx80 added the Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users. label Oct 27, 2022
@utrautmann
Copy link
Author

Hello @bx80 ,
the content type header is 'text/html'.
grafik

@Findus23
Copy link
Member

Findus23 commented Nov 2, 2022

Hi,

https://demo.matomo.org/index.php?module=CoreAdminHome&action=optOutJS returns content-type: application/javascript; charset=utf-8, so can you maybe check the content of that response?
Maybe it is showing a HTML error page instead of the Javascript it should return.

@utrautmann
Copy link
Author

Hi,
unfortunately my response was wrong because of usage of an incorrect url. The content-type is "application/javascript; charset=utf-8" too.
I will investigate it further to recognize some differences.

@utrautmann
Copy link
Author

I looked into the topic again and came to the conclusion that there is no Matomo error here. There was a misconfiguration in proxy forward requests on the Matomo web server that was delivering an error page instead of the Matomo opt-out html.

Thank you for your patience.

@elabuwa elabuwa added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Nov 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@elabuwa @Findus23 @utrautmann @bx80