2 Replies Latest reply on Jan 4, 2019 10:03 AM by jstourac

html, js and css file's "content-type" header for directory listing removed after added "X-Content-Type-Options" header

xxzufrixx Jan 2, 2019 1:20 AM

Hi,

I am using JBoss EAP 7 and I have a requirement to add "X-Content-Type-Options=nosniff" header as part of server hardening purpose. After I added the header, the content-type header for the html, js(/?js) & css(?css) for directory listing are missing and chrome filter out the files, we are using Undertow directory listing btw. Is there any way to set the content type back so that the chrome not going to filter it out?

subsytem tag for standalone.xml

        <subsystem xmlns="urn:jboss:domain:undertow:3.1">
            <buffer-cache name="default"/>
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http" redirect-socket="https"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="x-powered-by-header"/>
                    <filter-ref name="x-xss-protection"/>
                    <filter-ref name="strict-transport-security"/>
                    <filter-ref name="x-Content-type-options"/>
                </host>
            </server>
            <servlet-container name="default" default-encoding="UTF-8" directory-listing="true">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" directory-listing="true" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
                <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
                <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
                <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
                <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
            </filters>
        </subsystem>

Response Header in Firefox after added the header (Same in Firefox, Content-type is missing in response header but the file is showed up)

Response Headers in Chrome after added the header (notice that /?js and /?css were missing and content-type header were missing)

1. Re: html, js and css file's "content-type" header for directory listing removed after added "X-Content-Type-Options" header

jstourac Jan 3, 2019 9:43 AM (in response to xxzufrixx)
Hi Zufri,

could you please share what particular version of JBoss EAP do you use? I tried to reproduce this behavior with EAP 7.1.5 and 7.1.0 against default welcome-content that comes with server but without any luck.

Here are my unsuccessful reproduction steps:
start EAP, ./bin/standalone.sh
connect to cli, ./bin/jboss-cli.sh -c
configure headers and directory listing:
/subsystem=undertow/configuration=handler/file=welcome-content:write-attribute(name=directory-listing,value=true)
/subsystem=undertow/configuration=filter/response-header=x-content:add(header-name=X-Content-Type-Options,header-value=nosniff)
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-content:add()
/subsystem=undertow/configuration=filter/response-header=x-xss-protection:add(header-name=X-XSS-Protection,header-value="1; mode=block")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-xss-protection:add()
/subsystem=undertow/configuration=filter/response-header=strict-transport-security:add(header-name=Strict-Transport-Security,header-value="max-age=31536000; includeSubDomains")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=strict-transport-security:add()
reload
perform request in Chrome to http://localhost:8080/images

I can see that there is Content-Type header present in server responce for both ?js and ?css files and also for image/ request. Also when I perform curl directly to retrain these files, there is Content-Type header present in server HTTP response:

$ curl -v http://127.0.0.1:8080/images?css >/dev/null
*   Trying 127.0.0.1...
* TCP_NODELAY set
% Total    % Received % Xferd Average Speed   Time    Time     Time Current
                                 Dload Upload   Total   Spent    Left Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /images?css HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.59.0
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Undertow/1
< X-XSS-Protection: 1; mode=block
< Server: JBoss-EAP/7
< Date: Thu, 03 Jan 2019 14:40:28 GMT
< Connection: keep-alive
< ETag: "Z3rmpzgm+Ua5AIAtPv5/Hw=="
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Length: 3494
< Content-Type: text/css
<
{ [3494 bytes data]
100 3494 100 3494    0     0 3412k      0 --:--:-- --:--:-- --:--:-- 3412k
* Connection #0 to host 127.0.0.1 left intact

Did I miss anything specific in your configuration?
Actions
2. Re: html, js and css file's "content-type" header for directory listing removed after added "X-Content-Type-Options" header

jstourac Jan 4, 2019 10:03 AM (in response to jstourac)

Nevermind, I realized my mistake - you actually use directory-listing via a deployed servlet app. I was able to reproduced your problem and created an issue here [WFLY-11558] Content-Type header is not set in HTTP response for directory resource in servlet directory-listing feature… .

This will be fixed in Wildfly and I don't know when and whether this will get into JBoss EAP 7.1.x CPs. If you need this fix included in JBoss EAP, please create a customer case against Red Hat, Portal Case Management .
1 of 1 people found this helpful
Actions

Go to original post