Forum

Thread tagged as: Question, Problem

Assets App.

In the latest update to Perch: 2.5.4, it seems the Add Asset button doesn't appear when an editor tries to upload an image through a template. It does appear when accessing it through the Asset App.

Is that a role issue, or something else?

In the update notes I saw this "Fixes timing issue with JavaScript loading causing ‘add asset’ button not to appear"

This is the view in the Asset Manager when accessed through a template image upload.

view From Upload in template

This is the view in the Asset Manager when accessed through the Asset App view From Upload in template

Scott Gruber

Scott Gruber 0 points

  • 7 years ago

I've isolated this issue to Chrome Version 36.0.1985.125.

The button does appear as expected in Safari version 7.0.5 and Firefox 30.

Drew McLellan

Drew McLellan 2638 points
Perch Support

Could it be caching?

I tried to clear cache on Chrome to no effect. I then completely cleared all files, closed Chrome and opened the browser again. Unfortunately still no effect.

I looked in Chrome console and saw these two error messages

Refused to execute script from 'https://www.environment.ucla.edu/perch/core/inc/js_lang.php' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.

Refused to execute script from 'https://www.environment.ucla.edu/perch/core/inc/js_privs.php' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.

Addendum

I funneled both through Assets and through upload image on a page template and the script error showed up in both places.

I think I found the cause of the problem.

In my .htaccess file I had this bit of code

 <IfModule mod_headers.c>
     Header set X-Content-Type-Options "nosniff"
 </IfModule>

When I removed it, the problem was fixed. And the two error Console errors also aren't showing up.

Here was the info in my .htaccess file.

# ------------------------------------------------------------------------------
# | Reducing MIME-type security risks                                          |
# ------------------------------------------------------------------------------

# Prevent some browsers from MIME-sniffing the response.

# This reduces exposure to drive-by download attacks and should be enable
# especially if the web server is serving user uploaded content, content
# that could potentially be treated by the browser as executable.

# https://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
# https://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
# https://mimesniff.spec.whatwg.org/

 <IfModule mod_headers.c>
     Header set X-Content-Type-Options "nosniff"
 </IfModule>
Drew McLellan

Drew McLellan 2638 points
Perch Support

Ok, that's really weird. I don't see why there would be an issue - it's a JSON file served with a JSON mime type. I'll take a look into it.

Maybe a conflict with something else in .htaccess?

 <IfModule mod_headers.c>
     #                           (1)    (2)
     Header set X-XSS-Protection "1; mode=block"
     <FilesMatch "\.(appcache|atom|crx|css|cur|eot|f4[abpv]|flv|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|tt[cf]|vcf|vtt|webapp|web[mp]|woff|xml|xpi)$">
         Header unset X-XSS-Protection
     </FilesMatch>
 </IfModule>

Or (doubtful)

<FilesMatch "(^#.*#|\.(bak|config|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">

    # Apache < 2.3
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
        Satisfy All
    </IfModule>

</FilesMatch>

Or gzip (doubtful)


AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript
Drew McLellan

Drew McLellan 2638 points
Perch Support

Is this all from HTML5 Boilerplate?

No on gzip. Yes, on XSS, yes on nosniff,

Plenty of HTML 5 boilerplate is not used.

Back to sleep for me in LA, and I need to run some more tests during day.

Plus side — commenting out nosniff worked.

Drew McLellan

Drew McLellan 2638 points
Perch Support

Ok, I've changed the mime type to application/javascript and that appears to stop its whinging.

Thanks Drew.

Whinging is a new word in my vocabulary.

Quick dummy check. Will your change will be rolled into the next update?

Drew McLellan

Drew McLellan 2638 points
Perch Support

Yes, it'll be in 2.5.5.