Lunr: Content Security Policy (CSP), X-Content-Type: nosniff

[strauhmanis]

Hi!

I have the following CSP header:

X-Content-Type-Options: nosniff

With this content security policy enabled, the following error comes up in web inspector console (I'm using local (non Ruby gem method), untouched, Basically Basic theme files):

[Error] Refused to execute https://www.mydomain.com/assets/javascripts/search-data.json as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.

I would like to ask if that is something that can be fixed within the scope of this project, or if this error can be dealt with otherwise, without disabling the mentioned CSP header.

Thanks!

[mmistakes]

Don't think there is anything to fix within the scope of this project. This appears to be hosting related, which the theme has no control over.

[strauhmanis]

Got it. Thanks!

[qgustavor]

Woudn't be better changing search-data.json to search-data.js like mmistakes/minimal-mistakes/assets/js/lunr/lunr-store.js? The extension is wrong: it isn't a JSON file, is a JavaScript file. It would fix the wrong mime-type and avoid mime related issues.

Surely, it only causes issues when content-type-options: nosniff is added by the server so I'm trying to find why my server is adding it and CloudFlare was adding it. In the other hand, as it is a security feature, renaming this file would be a better fix.