metro icon indicating copy to clipboard operation
metro copied to clipboard

Published 20 hours ago • verified publisher icon facebook

X-Content-Type-Options: nosniff header prevents WebViews from loading assets

Open naoey opened this issue 5 years ago • 7 comments

Do you want to request a feature or report a bug?

Report a bug.

What is the current behavior?

Metro sets the X-Content-Type-Options: nosniff header which causes WebViews to refuse to execute assets loaded from the packager.

If the current behavior is a bug, please provide the steps to reproduce and a minimal repository on GitHub that we can yarn install and yarn test.

Repository can be found here.

Run the app and inspect the WebView content using Safari developer options:

image

What is the expected behavior?

Assets loaded from the packager shouldn't always set the nosniff header. There may have been reasons for adding this but I believe it should be made configurable for loading assets in development mode. Alternatively we should have a means to set Content-Type for assets.

Please provide your exact Metro configuration and mention your Metro, node, yarn/npm version and operating system.

No extra metro configuration.

RN 58.6 yarn 1.13.0 node 11.10.0 macOS 10.14.3

Upgrading from RN 57.4 to 58.6 introduced this issue.

Headers running 57.4: image

Headers running 58.6: image

naoey avatar Mar 06 '19 08:03 naoey

This is quite a problematic issue and does break a number of 3rd party modules that rely on rendering a WebView including local scripts. Don't suppose you found a workaround for this did you?

lukefanning avatar Apr 17 '19 10:04 lukefanning

I haven't, unfortunately. My project is set up to copy all the asset files into the app bundle during build and use the bundle resources for production mode. So for now I've had to continue working by rebuilding the native app each time the assets change.

naoey avatar Apr 17 '19 10:04 naoey

@naoey Do you mean this? https://github.com/react-native-community/cli/commit/c2a52556d9a0e0b4cac7d97feaa9739393597df7#diff-9645940418a2ef615c043579cdacaa59R24

kira1928 avatar Aug 27 '19 06:08 kira1928

It does seem like that is where the issue began. I think the actual solution would be that Metro actually sets the correct MIME types when serving content. For example, it serves the CSS files requested by the WebView as text/html which combined with the nosniff header is what leads to the breakage.

naoey avatar Aug 27 '19 06:08 naoey

Ah... yes you are right. Adding MIME should be the correct way instead of changing nosniff. I wonder why your issue is ignored for so long time.

kira1928 avatar Aug 27 '19 06:08 kira1928

Hi I am having the same issue of nosniff, please provide solution.

prem30488 avatar Apr 24 '20 19:04 prem30488

Any update here?

willnix86 avatar Nov 02 '21 15:11 willnix86