MIME type mismatch error after enabling the HTTP response header “X-Content-Type-Options”
Published Oct 06 2020 07:12 AM 9,864 Views

The X-Content-Type-Options header is an HTTP header that allows developers to specify that their content should not be MIME-sniffed. This header is designed to mitigate MIME-Sniffing attacks. For each page that could contain user controllable content, you must use the HTTP Header X-Content-Type-Options:nosniff. 


Add the below header in the web.config file if the application is hosted by Internet Information Services (IIS) 7 onwards.





      <add name="X-Content-Type-Options" value="nosniff"/>





Please refer to the Link to know more about this particular response header. 


The script and styleSheet elements will reject responses with incorrect MIME types if the server sends the response header "X-Content-Type-Options: nosniff". This is a security feature that helps prevent attacks based on MIME-type confusion. This is been explained in this article.


Recently, I was working on an issue where I was getting below error while calling AJAX functions. 


Refused to execute script from 'http://localhost:8081/ajax/common.ashx' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.
Sample.aspx:1 Refused to execute script from 'http://localhost:8081/ajax/Ajax_Sample_.Sample,Ajax(Sample).ashx' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.


I see the below code in my application. 


<script type="text/javascript" src="/ajax/common.ashx"></script><script type="text/javascript" src="/ajax/Ajax_Sample_.Sample,Ajax(Sample).ashx"></script>


It means that my application is expecting a javascript response from.ashx file but unfortunately, IIS sends the content-type “text/plain” response as it’s a default HTTP handler.  


As it would take some time to change the application code and deploy the code to IIS, I added an outbound URL rewrite rule in IIS as a workaround to fix the issue. Below are the steps followed. 





                <remove name="Test" />

                <rule name="Test">

                    <match serverVariable="RESPONSE_CONTENT_TYPE" pattern="text/plain" />


                        <add input="{REQUEST_URI}" pattern=".ashx" />


                    <action type="Rewrite" value="text/javascript" />





Refer: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-outbound-rules-for-url-r...


Note: This is just a workaround to resolve the issue but the permanent solution would be to to change the MIME type in your application code as per the requirement. 


Hope this helps :smiling_face_with_smiling_eyes:

Version history
Last update:
‎Oct 06 2020 09:45 AM
Updated by: