You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Don't emit a charset parameter on the json content type. Chrome has
started emitting warnings when this parameter is present as it isn't
compliant with the spec.
Fixes#13156
It seems Chrome has recently started to throw CORB (Cross-Origin-Read-Blocking) warnings when the encoding is part of the HTTP content-type header, which is the default behavior of CakePHP 3.x (possibly CakePHP 2.x, too).
Instead of
application/json; charset=utf-8
, we should simply returnapplication/json
without the; charset=utf-8
suffix.Slim had the same issue:
slimphp/Slim#2629
What IANA says about the JSON content-type header:
https://www.iana.org/assignments/media-types/application/json
Some related links:
https://www.chromium.org/Home/chromium-security/corb-for-developers
https://medium.com/@ethicalevil/nosniff-and-the-rabbit-hole-of-mime-sniffing-in-browsers-9f764a454a46
https://www.searchenginejournal.com/nosniff-response-headers/261171/#close
https://www.chromestatus.com/feature/5780195579527168
https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff
https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Content-Type-Options
https://book.cakephp.org/3.0/en/controllers/middleware.html#security-header-middleware
Edit: accept -> content-type ☕
The text was updated successfully, but these errors were encountered: