Explicitly set comment diff fragments as javascript MIME type

Review Request #7432 — Created June 17, 2015 and submitted — Latest diff uploaded

Information

Review Board
master
9c7ce94...

Reviewers

If the HTTP header 'X-Content-Type-Options' is set to 'nosniff,'
compliant browsers (Google Chrome, for example) will not attempt to
MIME-sniff a response content type different from its declared type.

The comment diff fragment currently returns an HTTP response with a
default type of 'text/html,' but it is clearly code intended to be run
as a script of type 'application/javascript.'

On latest Google Chrome stable, this results in an error and a failure
to render the comment diff box.

Set the content type of this response to 'application/javascript,' to
reflect its true nature.

RB version: 2.0.17
Browser: Google Chrome 43.0.2357.124 (64-bit), Mac OS X.
Server: nginx 1.8.0, configured to serve the 'nosniff' header.

Manually inspected response headers before and after patch. The content type is 'text/html' before, and fails to render, instead showing the spinning logo forever. Chrome console reports and error:

Refused to execute script from 'https://test.mydomain.com/r/743/fragments/diff-comments/2246/?queue=diff_fragments&container_prefix=comment_container&1234556' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

After this patch, the box renders correctly, and no error is encountered.