Page 1 of 1
steelseries gauges
Posted: Sat Dec 30, 2017 6:09 pm
by bidouilleur
I tried the 2 plugins and the block but each time the gauges don't load (icons around yes)
in console I see always these kinda error and couldn't find anything in this forum (nor elesewhere) that gives me a hint where to start solving the problem
Code: Select all
[Error] Did not load script at 'https://domain.fr/meteo/plugins/liveGaugesAPI/libraries/RGraph.common.key.js' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
server is cpanel driven with php 7.1
someone here as a hint to share on how to track this down ? Nothing in error logs
I have used steelseries on other sites on the same server without issues ... bit at a loss
thanks for sharing your hints
Re: steelseries gauges
Posted: Sun Dec 31, 2017 10:48 am
by Jachym
The meme types are incorrectly configured on your server, see if your provider can help you with this, it is a server configuration
Re: steelseries gauges
Posted: Sun Dec 31, 2017 11:03 am
by bidouilleur
I'm the server boss but no clue what to look for
I have mime types listed and can add more but where do I start to look for ?
Since this is running a standard cpanel I guess the solution could help many others hosted on cpanel accounts since account holders can modify mime types account level ...
Anyone can point my nose in the correct direction ? Thanks
Re: steelseries gauges
Posted: Sun Dec 31, 2017 12:17 pm
by ozgreg
Very simple, your hosting provider has added additional Mime content type hardening on your server..
nosniff
Blocks a request if the requested type is
"style" and the MIME type is not "text/css", or
"script" and the MIME type is not a JavaScript MIME type.
Unfortunately you going to need to talk to the Steelseries Gauges Author Mark Crossley as he will need to change some of his style and script tags to avoid triggering the nosniff..
Re: steelseries gauges
Posted: Sun Dec 31, 2017 5:39 pm
by bidouilleur
ok finally found why it blocks and a solution for me anyway)
I use engintron nginx on top of the normal apache. As a basic security rule it ads following to all headers regardless which account
Code: Select all
# Security Headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
In this case rule 2 blocks the gauges to display because 3 files don't declare correctly their content via tags
to solve this very simply you have to add 1 line in the following 3 files that are in /plugins/steelSeries/scripts
steelseries_tween.php
language.php
gauges.php
open the file in an editor and on top you see each times somethng like this
Code: Select all
<?php
include("../../../config.php");
include($baseURL."css/design.php");
include($baseURL."header.php");
?>
just add the following line just before the closing php tag : ?>
Code: Select all
header("content-type: application/x-javascript");
For me now the gauges load, time to go fiddle with these
hope this will help other where you get this nosniff security measure (and this is related to cross site scripting attacks and many hosting providers start adding this by default)
Re: steelseries gauges
Posted: Mon Jan 01, 2018 5:33 am
by ozgreg
Great outcome.. And the issue as you have correctly spotted is due to the "3 files that don't declare correctly their content via tags"