Friday 8 March 2013

It turns out...

That you really need to set your MIME types when serving your static media. Every nginx-as-a-reverse-proxy configuration file example for Django I have seen missed this point and made me waste hours figuring out why static media is loaded from the server (with http status 200 OK) but ignored by browsers.

Apparently browsers will ignore media files with the wrong Content-Type header.

The consequences of this when a server is misconfigured aren't always immediately evident; for example, consider an HTML page (sent out correctly as text/html) which calls out a stylesheet and a number of in-lined images: if the server sends these out with a wrong Content-type, then the browser might be displaying the HTML page's main content, but the browser has every right to ignore the offending stylesheet, or to omit the offending image(s) from the display: indeed a strict interpretation of the rules would say that it must behave that way. Faking the wrong Content-type from the server is potentially a way of compromising security, so there's a genuine reason for this rule being the way that it is.

So take care, and keep this in mind.

No comments:

Post a Comment