Webbundle should set mimetype of config.js correctly

[lilioid]

What happened:
When opening the Web-UI, only a blank page showed.

What you expected to happen:
The Web-UI should work as expected or at least show an error that it's config could not be loaded.

How to reproduce it (as minimally and precisely as possible):

• Set the Header X-Content-Type-Options: nosniff on your webserver
• Proxy the Agola Web-UI through said webserver

Anything else we need to know?:
When the X-Content-Type-Option nosniff is set, it instructs browsers to not guess any content MIME-Types and since the /config.js route does not define its content to be Javascript, it does not get interpreted as such.
Setting the response header Content-Type to application/javascript below should fix this problem:

agola/internal/services/gateway/handlers/webbundle.go

Lines 71 to 76 in 94462e6

	if r.URL.Path == "/config.js" {
	_, err := w.Write(config)
	if err != nil {
	http.Error(w, "", http.StatusInternalServerError)
	}
	return

Environment:

• Agola version: v0.5.0 (bug is still present in master though)

[sgotti]

@ftsell does this issue happens only if config.js is invalid javascript right?

We never saw such issue with a valid config.js so I'm not sure if this is the real issue.

[lilioid]

No the validity of config.js does not matter because this issue appears before the file is even considered javascript (by the Browser).

Basically the Browser is trying to figure out as what to treat the received HTTP-Response. Normally it would look at the Content-Type header and if that is not present, try to guess by looking at the content (taking into account file extension and such). This secondary behavior is called sniffing and can be disabled (as I have done).

And in this circumstance neither sniffing nor a server-defined MIME-Type is available so the Browser treats config.js as plain text instead of executing it as Javascript.

Mozilla explains this in their article about MIME-Type in more detail.

[sgotti]

@ftsell but are you using a custom config.js? By default no config.js is provided and everything works correctly. config.js is needed only under some special circumstances. Can you provide a way to reproduce this issue?

[lilioid]

No I am not using a custom config.js.

And testing things with a locally running agola server works for me as well because then the X-Content-Type-Options Header is not set. My production webserver does set this Header though.
I have also tested enabling and disabling the nosniff option through X-Content-Type-Options and can verify that this resulted in the web-ui working and not-working. Because of that I am fairly certain that this is the cause of the issue.

If you want to, you can check out the browser console when visiting my deployed instance over at agola-ci.finn-thorben.me

In this Gist you can also find the exact deployment config I am currently using (on Kubernetes).

[sgotti]

@ftsell thanks. So probably our production webserver is not setting that header. Would you like to open a pull request?

[lilioid]

I'm working on a PR as we speak ;)