Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Charset in JSON content-type header causing Chrome CORB warning #3961

Closed
jkytomaki opened this issue May 16, 2019 · 4 comments
Closed

Charset in JSON content-type header causing Chrome CORB warning #3961

jkytomaki opened this issue May 16, 2019 · 4 comments
Labels
awaiting more info

Comments

@jkytomaki
Copy link

jkytomaki commented May 16, 2019
edited

It looks like new versions of Chrome are logging Cross-Origin Read Blocking (CORB) warnings into the console in the following situation:

  • making a post request to a resource returning JSON
  • the response having a X-Content-Type-Options nosniff header
  • the content-type header having a value application/json; charset=utf-8

According to this Stack Overflow answer removing the charset=utf-8 from the end of the content-type fixes the warning, so Chrome seems to treat this as an invalid content-type.

There are some old closed issues about express adding charset=utf-8 to the end of the content type header and as far as I could see there is currently no way to remove the charset from the header using express. Is it possible to re-evaluate this?
@dougwilson
Copy link
Contributor

No, we cannot re-evaluate the addition of the charset header unless CVE-2014-6393 is going to be rescinded, unfortunately.

Perhaps there are other options? Would you be able to create a very simple app using Express that reproduces the issue and perhaps I can be another set of eyes to see what we can do?

@pszafer pszafer mentioned this issue May 17, 2019
Closed
@pszafer
Copy link

pszafer commented May 17, 2019

Hi,
This CVE-2014-6393 is talking about charset field in HTTP Content-Type headers in 400 level responses not 200 level.
Many other libs is deleting those charset info from 200 / application/json response.
cakephp/cakephp#13156
slimphp/Slim#2629

I cannot imagine other options as nobody else had other idea than remove charset info from 200 responses.

@dougwilson
Copy link
Contributor

The CVE description was not updated correctly back them. It applies to all responses.

Unless you can provide a demonstration so we can reproduce the issue, then there is no way forward in this case.

@jkytomaki
Copy link
Author

After some more testing with different response headers and trying to created a demonstration of the issue, the removal of the charset suggested in the SO article doesn't seem to have any effect for me. Removing the X-Content-Type-Options nosniff header from responses to OPTIONS requests does seem to remove the warning. You can ignore this report. Thanks for quick replies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dougwilson @pszafer @jkytomaki