PHP-Web-Stat Support Forum
https://www.php-web-statistik.de/cgi-bin/yabb/YaBB.pl
Board (English) >> English board >> Problem tracking code with "nosniff" option
https://www.php-web-statistik.de/cgi-bin/yabb/YaBB.pl?num=1648370578
Beitrag begonnen von Aska29 am 27.03.22 um 10:42:58

Titel: Problem tracking code with "nosniff" option
Beitrag von Aska29 am 27.03.22 um 10:42:58
Hello, I bought the paid version of the software because I find it really great. And it corresponds to my expectations.

I used the following tracking code:
[code]<script type="text/javascript" src="https://www.abri29.com/phpwebstat53/pws.php?mode=js"></script>
<script type="text/javascript" src="https://www.abri29.com/phpwebstat53/plugins/onclick/pws_file.php"></script>
<noscript><img src="https://abri29.com/phpwebstat53/pws.php?mode=img" style="border:0; width:1px; height:1px" alt="noscript-img"></noscript>[/code]

Everything works fine, except when I use "header('X-Content-Type-Options: nosniff');" to reinforce the security of the website.
The problem is that the tracking code is blocked, here is what the debugger displays:


It detects "pws" files as text/html, and the tracking code says text/javascript.
the MIME type is not the sames and therefore the files are blocked.

How to adapt the tracking code, or the files concerned so that they are accepted by the X-Content-Type-Options: nosniff security option?

Thank you.  ;)

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Reimar am 28.03.22 um 20:42:47
Hi there,

we will analyze this case and come back to you.

Kind regards
Reimar

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Reimar am 28.03.22 um 21:07:27
First idea: is it possible for you to change the webserver configuration so that javascript resources will get the correct mim type in the Content-type header? It should be set to "text/javascript" instead of "text/html".

Let me further investigate this issue. Thanks for your patience.

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Reimar am 28.03.22 um 21:17:48
If you are using an Apache HTTP Webserver, you can use a ".htaccess" file within your root folder to set the correct content type as follows:

[code]
<IfModule mod_headers.c>

  <FilesMatch "\.(js)$">
    Header set Content-Type "text/javascript"
  </FilesMatch>

</IfModule>
[/code]

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Aska29 am 28.03.22 um 21:19:54
I use a shared hosting, I don't know if I have the possibility to change the webserver configuration. Or at least, I don't know how to change it.

Thank you for your answer, I love your product. This is the only point that blocks me a little. Because it is really a quick and practical solution to have the statistics of visits.

EDIT: I just got your last message, I will try to modify the .htaccess. I'll come back to you soon.

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Reimar am 28.03.22 um 21:23:58
We are very happy to hear that you like our stat solution !

You can also google for "mod headers set content type javascript".
That was my way to find a solution.
If it is not working, we have to make a deeper diving session :-)
Just let us know.

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Aska29 am 28.03.22 um 21:41:31
I have modified my .htaccess with your solution. I have cleared the cache.
here is a txt file that copy my .htaccess if you want to see :
https://abri29.com/pages/htaccess.txt

Edge dev console :

Vivaldi dev console :

Firefox dev console :


I think it doesn't solve the problem. I could remove this security setting, but it is recommended to use, so I hesitate.

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Reimar am 30.03.22 um 15:38:01
That is a pity to hear ... so we have to make a deep dive.
Let me check this and come back to you.
Please be patient, it takes a few days. Thanks.

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Aska29 am 30.03.22 um 16:01:49
I have deactivated this security in the meantime, I only have a modest website, so it is not urgent. ;)
Take your time to see if something is possible in this case.
I think it will interest many people in the future, because the option "nosniff" on the headers is part of the security options that will be more and more common.
Anyway, thanks again for your answer and your help! :)

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Reimar am 01.04.22 um 22:18:19
Many thanks for your patience.

We analyzed the situation and found out the following. If you change your code from


Code (html):
<script type="text/javascript" src="https://www.abri29.com/phpwebstat53/pws.php?mode=js"></script>
<script type="text/javascript" src="https://www.abri29.com/phpwebstat53/plugins/onclick/pws_file.php"></script>
<noscript><img src="https://abri29.com/phpwebstat53/pws.php?mode=img" style="border:0; width:1px; height:1px" alt="noscript-img"></noscript>


to


Code (html):
<script src="https://www.abri29.com/phpwebstat53/pws.php?mode=js"></script>
<script src="https://www.abri29.com/phpwebstat53/plugins/onclick/pws_file.php"></script>
<noscript><img src="https://abri29.com/phpwebstat53/pws.php?mode=img" style="border:0; width:1px; height:1px" alt="noscript-img"></noscript>


So the difference is to exclude the parameter "type=text/javascript".

We hope this helps.

Titel: Re: Problem tracking code with "nosniff" option
Beitrag von Aska29 am 02.04.22 um 00:49:50
a big thank you, everything is working now. Thanks for your help and this great software!

PHP-Web-Stat Support Forum » Powered by YaBB 2.5.2!
YaBB Forum Software © 2000-2012. Alle Rechte vorbehalten.