I am using ASP.NET platform to create a web page. Inside the page i have used some images/icons. For security purpose i have used “X-Content-Type-Options: nosniff” in web.config file. When i deploy the web page in IE, some of the images/icons isn't rendered. But, the same page working fine in Firefox and Chrome.
When i remove the statement “X-Content-Type-Options: nosniff” from web.config everything is working fine in IE. But, for security purpose i must use that statement. At the same time the missing images/icons need to be rendered in IE.
So, can anyone help me how to fix the issue with the statement “X-Content-Type-Options: nosniff".
Thanks in advance,
The nosniff only applies to "script" and "style" types. Also applying nosniff to images turned out to be incompatible with existing web sites.
So "X-Content-Type-Options nosniff" would bypass the problem for images and here comes the browser role which fail to render the image if the type mentioned by the server is not matching the real file extension.
Refer to:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options.
and this:
https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
IE uses MIME information to determine how to handle files sent by a Web server. For example, when Windows Internet Explorer receives a .jpg file, the user sees the file in an Windows Internet Explorer window. The MIME Handling Restrictions feature helps prevent script injection attacks against Web servers by ensuring that any content delivered with an IMAGE MIME is not treated as HTML or XML.
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565640(v=vs.85)
Add following line before saving bitmap
Response.ContentType = "image/gif";
Related
Good day.
So, here is my issue.
I'm currently using sharepoint 2010 for web applications, I am supposed to display pdf as part of a web page. Currently, the browser tends to download the pdf file instead of displaying it.
Content-disposition is already set to inline.
I've also used iframe, and src is pointing to custom httpHandler.
I've already added "application/pdf" MIME type in the list of AllowedInlineDownloadedMimeTypes as per the advice in this link http://www.pdfshareforms.com/sharepoint-2010-and-pdf-integration-series-part-1/.
However, the application still failed to display it, and it prompts the user to download the file instead.
I'm using mozilla firefox v12 and ie8 to test the application, they both exhibit the same behavior.
What else is missing? Thank you.
It's important to remember that not all browsers, especially older ones like Internet Explorer 8, have the ability to render PDF content inline. In these older browsers, this was generally accomplished through plug-ins like Adobe Reader or Foxit being installed on the client machine.
Basically, if you are using an older browser, your users will likely need one of these (or a similar) plug-in installed. Otherwise when the browser encounters a PDF file, it will serve it to the user, as it doesn't really know how to deal with it.
There is also a chance that this could be a permissions / settings issue similar to the one addressed in this related question. You may want to review over some of the discussions within that thread as well as this Sharepoint 2010 one, which details a a setting called "Browser File Handling" and how it's default value of "strict" can affect how PDFs and other files are accessed.
He came across the solution while looking at the "Web Application General Settings". There is a setting called Browser File Handling and by default it is set to strict.
I have deployed an ASP.NET website on IIS 7. I was able to access my site using the URL http://**local host**/sitename.aspx and all the formatting of my pages is looking good.
But when I access the same page by using the URL http://**servername**/sitename.aspx from another system or on the same server where I have been deployed, the page formatting is not working properly.
What would be the best solution for this? Thanks
First a fall to check your Js/Css file path where you have not mention static file path with localhost name.
For more detail go to browser and browse your url and press F+12 so development tool will be open and check there for broken url.
I am not sure why you are worrying about formatting soo much. I mean formatting should not affect you much unless you use <pre> in your html.
There are ways to modify the HTTP Response Using Filters. Can you please makesure none of these filters present in your application for release mode.
Generally i use HTTP compression feature of IIS to compress my content, but in browser it looks correct to me.
I'm hosting an ASP.NET website on Local IIS (not IIS Express), and as soon as I save a change to a .css file in Visual Studio, the change immediately appears in browser windows that use that file (or after mousing over the window in Chrome), without clearing caches and refreshing.
Why do the changes appear immediately?
Opening the .css file itself (not a page using the file) in the browser shows a more expected result: saving the file in Visual Studio does not change what I see in the browser until I refresh the .css file.
As it turns out, I had Browser Link enabled in Visual Studio, and with it, CSS Auto-Sync. This opens up a port on the local machine and uses SignalR to communicate with the browser window about 400 times per second, including any CSS changes needed.
For more information, see these topics:
.net localhost website consistently making get arterySignalR/poll?transport=longPolling&connectionToken= calls
How can I disable __vwd/js/artery in VS.NET 2013?
This probably happens due to caching. when you open the css itself, it retrieves a new copy from the server, but when you open a page that uses the css file, the css file is being cached as the page's resource and the browser just shows the cached resources until you force it to reload them.
a trick i learned to fix the issue, is to link the css file to the aspx page and include a random query string to the linking, that way it tricks the browser to think that its a new resource and reload it from the server anyway.
like this:
<link href="../stylesheets/MyCSS.css?<%=DateTime.Now%>"
rel="stylesheet" type="text/css" />
we use the aspx preprocessor directive <%=DateTime.Now%> to append the current time as a query string, to ensure the link is always different.
Dont forget the question mark between the css filename and the preprocessor directive
in order to find the server spec. i've created a file in the root dir in my website called spec.htm and entered this content as i was offered by another user:
<html>
<head>
<title></title>
</head>
<body>
#ServerInfo.GetHtml()
</body>
</html>
but i only get a copy of the code in my browser and it doesn't run it,
what the problem might be?
EDIT: i think that the problem is that i'm not using IIS.
is there a way to do so without using IIS?
thanks
Please see the following article
http://www.asp.net/webmatrix/tutorials/14-introduction-to-debugging
The ServerInfo helper is a diagnostic tool that gives you an overview of information about the web server environment that hosts your page. It also shows you HTTP request information that is sent when a browser requests the page. The ServerInfo helper displays the current user identity, the type of browser that made the request, and so on. This kind of information can help you troubleshoot common issues.
Create a new web page named ServerInfo.cshtml.
At the end of the page, just before the closing tag, add the following highlighted code.
#ServerInfo.GetHtml()
Note, it appears as though this is designed to run in IIS only and not on Linux / Apache servers.
Note, this is a RAZOR syntax so your system needs to be able to run Razor by installing the WebMatrix
#ServerInfo.GetHtml() is a Razor view engine syntax. Try saving your file as .cshtml or .vbhtml
The problem is that your webserver is not set up to serve HTML files through the ASP.NET interpreter. Change the extension to .aspx (i.e., use the same code, but call it spec.aspx).
Are you setting the Content-Type header correctly. If not set to text/html or similar, the browser or framework may set the content-type to text/plain which will not render the html at all.
You can check this in Firebug in the Net tab, expanding the response that is associated with the page you are serving, and looking in the Headers tab. If the Content-Type header is anything besides text/html or text/xhtml, then you need to find a way to make your web server set that header properly
let me guess its just showing up "#ServerInfo.GetHtml()" on a webpage. This does nothing if you put it simply in a body tag of a html page. If you are running IIS make sure you are saving as .aspx and not .html
See "yourhtmlsource.com/myfirstsite/myfirstpage.html"
I hope I am understanding the question and this helps. I found it on the web page given above.
When you double-click a file on your computer’s desktop, the computer knows what program to open the file in by checking the file’s “extension”. A txt file will open in a text editor.
You need to give your document a file extension of ”.html”, which will tell it to open the file in your web browser, such as Internet Explorer, Firefox or Safari.
Right now you should be editing your HTML page in a text editor, which normally saves files with the extension “.txt”. We want to make it save in “.html”. In your text editor click File → Save As…. If you use Microsoft Windows, there will be a box labelled “save as type”; change it to “all files .”. This means that you can save the data (in this case, some text) into any format. Now type in the name index.html for your file and click save. Ex: file.txt becomes file.html.
I have an HttpModule that displays images that follow a certain URL pattern. For example, /images/employees/jason.jpg is handled by the module, but all other images aren't. It works just fine on my local machine (Cassini and IIS 7). However, the IIS6 production server isn't working. I've had the hosting company map the images to the ASP.NET worker process. Now, all images are showing that they can't render except for the images that should be rendered by the module. They are working correct.
I ran an HttpWatch instance on one of the files and received the following error:
ERROR_HTTP_INVALID_SERVER_RESPONSE
Any ideas?
Final Answer:
The module needed to be updated to transmit server files. So, I added an else to my original if and checked to see if it was an image type (by using a utility method) then use Response.TransmitFile() to pass on the file to the browser.
I then ran into a spacing issue with the images. This was because I forgot that I had .aspx files registered as an image type to perform the testing. So each page would crash during the debug process or add padding that was established from CSS. Doh!
Everything is just peachy now. Thanks to all!
There's doesn't seem to be anything particularly wrong with your module, so the issue must be coming from somewhere else. Have you got security that might be blocking the images? What actually gets returned when you request a static file?
I'd suggest seeing what gets returned (and its headers) using something like firebug to check things like the response code, content type, the actual raw response, etc...
check your web.config IIS6 / IIS7 have different places to add modules and depends on what mode your IIS7 is running in.
http://arcware.net/use-a-single-web-config-for-iis6-and-iis7