New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Charset in JSON content-type header causing Chrome CORB warning #3961
Comments
No, we cannot re-evaluate the addition of the charset header unless CVE-2014-6393 is going to be rescinded, unfortunately. Perhaps there are other options? Would you be able to create a very simple app using Express that reproduces the issue and perhaps I can be another set of eyes to see what we can do? |
Hi, I cannot imagine other options as nobody else had other idea than remove |
The CVE description was not updated correctly back them. It applies to all responses. Unless you can provide a demonstration so we can reproduce the issue, then there is no way forward in this case. |
After some more testing with different response headers and trying to created a demonstration of the issue, the removal of the charset suggested in the SO article doesn't seem to have any effect for me. Removing the |
It looks like new versions of Chrome are logging Cross-Origin Read Blocking (CORB) warnings into the console in the following situation:
X-Content-Type-Options nosniff
headerapplication/json; charset=utf-8
According to this Stack Overflow answer removing the
charset=utf-8
from the end of the content-type fixes the warning, so Chrome seems to treat this as an invalid content-type.There are some old closed issues about express adding
charset=utf-8
to the end of the content type header and as far as I could see there is currently no way to remove the charset from the header using express. Is it possible to re-evaluate this?The text was updated successfully, but these errors were encountered: