Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.x] Chrome throwing CORB (Cross-Origin-Read-Blocking) warnings for default JSON header #13156

Closed
ravage84 opened this issue Apr 23, 2019 · 0 comments · Fixed by #13161
Closed

[3.x] Chrome throwing CORB (Cross-Origin-Read-Blocking) warnings for default JSON header #13156

ravage84 opened this issue Apr 23, 2019 · 0 comments · Fixed by #13161
Labels
http middleware security
Milestone
3.7.8

Comments

@ravage84
Copy link
Member

ravage84 commented Apr 23, 2019
edited

It seems Chrome has recently started to throw CORB (Cross-Origin-Read-Blocking) warnings when the encoding is part of the HTTP content-type header, which is the default behavior of CakePHP 3.x (possibly CakePHP 2.x, too).

Instead of application/json; charset=utf-8, we should simply return application/json without the ; charset=utf-8 suffix.

Slim had the same issue:
slimphp/Slim#2629

What IANA says about the JSON content-type header:

Note: No "charset" parameter is defined for this registration.
Adding one really has no effect on compliant recipients.

https://www.iana.org/assignments/media-types/application/json

Some related links:
https://www.chromium.org/Home/chromium-security/corb-for-developers
https://medium.com/@ethicalevil/nosniff-and-the-rabbit-hole-of-mime-sniffing-in-browsers-9f764a454a46
https://www.searchenginejournal.com/nosniff-response-headers/261171/#close
https://www.chromestatus.com/feature/5780195579527168
https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff
https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Content-Type-Options
https://book.cakephp.org/3.0/en/controllers/middleware.html#security-header-middleware

Edit: accept -> content-type ☕
@ravage84 ravage84 added this to the 3.7.7 milestone Apr 23, 2019
@markstory markstory modified the milestones: 3.7.7, 3.7.8 Apr 24, 2019
markstory added a commit that referenced this issue Apr 24, 2019
@markstory
Remove charset on json content-type
e1fa054 
Don't emit a charset parameter on the json content type. Chrome has
started emitting warnings when this parameter is present as it isn't
compliant with the spec.

Fixes #13156
@markstory markstory mentioned this issue Apr 24, 2019
Merged
This was referenced May 17, 2019
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
http middleware security
Projects
None yet
Milestone
3.7.8
Development

Successfully merging a pull request may close this issue.

Remove charset on json content-type cakephp/cakephp
2 participants
@markstory @ravage84