CORS and MIME types

Direct, it seems, from the pit of “Code bugs only manifest themselves when you least expect them” horrors, comes this doozy.

If you have read a couple of recent blogs posts you’ll know that I’ve been slowly, step by step, making my various domains secure. (This one is the worst offender, but is also going to take the most effort because of *cough* GoDaddy *cough*, and its peculiar rules regarding SSL certificates.) One of the recent ones was my URL shortening domain Five years ago, I wrote a blog post about how to satisfy the CORS principle (Cross-origin resource sharing) via JSONP and jQuery in order that the JavaScript on this site could create/get a short URL for each post. And for five years, everything has been working just peachy: my shortening service running on Azure has been dishing up the short URLs with no issues.

Until just recently.

A big principle with resolving bugs in code that has been working just fine for a long period of time is, What just changed? Answer that, and it helps you zero in on the reasons for the bug. Problem is, when I secured I did check that everything still worked. After all, it was my first ASP.NET site for which I’d done this, so obviously I’d have to make sure that the code still worked, that I’d updated the various bits and pieces that needed it. And, yes, it still served up short URLs.

Fine! Until about a week ago, when I wrote and published the previous blog post. Suddenly the service was not providing short URLs.

Time for some web developer tools. Firefox gave me just this error and no further hints:

Loading failed for the <script> with source “[FullURL]&callback=[ComplexGUID]”

To which all I could say was, holy crapola, my shortening service is no longer up. Except … it was. Googling the error didn’t bring up anything that I could use. I played around a bit with getting the error message returned from jQuery’s getJSON() call, but that had the most helpful text I’ve seen yet: “error”. I was pretty stumped. Even worse, checking my database of short URLs showed that the full URL for the new blog post had in fact been processed. The short URL had been generated. So the request was getting through, but the response (that is, the short URL) had not made it back.

Finally I tried it with Chrome. This gave me:

Refused to execute script from ‘[FullURL]&callback=[ComplexGUID]’  because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.

Well, I’ll be. The returned MIME type was wrong. Since the server code was in fact returning a piece of JavaScript code that would call a jQuery randomly-named, auto-generated callback function, it should have been labeled as application/javascript. I changed the code on the server to do so, and, boom!, it all worked again.

(In my original post on the subject, I’d used text/javascript for the MIME type – equally wrong – but must’ve changed it at some point to application/json instead. Because, you know, the important bit of the executable response is some JSON. Yeah, right.)

Admittedly, this fix doesn’t really address anything about why it suddenly wouldn’t work. It certainly wasn’t because I went secure (that bit did work with SSL active), but it must have been some tweak in Firefox in one of the latest versions that suddenly meant MIME types were being rigorously checked. Perhaps Chrome was reporting the error all along, but I wouldn’t know since I don’t use it regularly.

MIME type

Loading similar posts...   Loading links to posts on similar topics...

No Responses

Feel free to add a comment...

Leave a response

Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.

  •  Emphasize with italics: surround word with underscores _emphasis_
  •  Emphasize strongly: surround word with double-asterisks **strong**
  •  Link: surround text with square brackets, url with parentheses [text](url)
  •  Inline code: surround text with backticks `IEnumerable`
  •  Unordered list: start each line with an asterisk, space * an item
  •  Ordered list: start each line with a digit, period, space 1. an item
  •  Insert code block: start each line with four spaces
  •  Insert blockquote: start each line with right-angle-bracket, space > Now is the time...
Preview of response