Topic: Solved: Error: Refused to execute script

[mokfarg]

I am hoping someone will be so kind to lend me their expertise. I have investigated the error message via internet searches and so far the issues I have found do not seem to be related to my what I am seeing.

Environment:
Apache 2.4 Server on Ubuntu 18.04 utilized as a reverse proxy server for multiple web servers.

I have added an additional virtual host for a reverse proxy for a web server accessible via https. When accessing the original web server directly, I do not see an error message that I am seeing when reverse proxying through the Apache server.

I am going to post the get and response headers below from when accessing the web server directly and from when accessing through the apache server. I will also post the error message I am seeing below when accessing the website through the Apache reverse proxy. All test have been performed from the same PC with the same OS and same browser.

Last I will post my virtual host configuration for scrutiny. Any suggestions to correct the issue will be appreciated. Thank you.



Error message in Chrome web browser when accessing website through Apache reverse proxy that isn't present when accessing the website directly:
Refused to execute script from 'https://website.domain.org/scripts/file.aspx' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.


Response Header when accessing web server directly:

Cache-Control: private
Content-Length: 3212
Content-Type: text/html; charset=utf-8
Date: Tue, 19 Mar 2019 21:37:21 GMT
Server: Microsoft-IIS/8.5
Set-Cookie: LASTEST_REQUEST_TIME=1553035041458; path=/; secure; HttpOnly
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Powered-By: ASP.NET
X-UA-Compatible: IE=10

Response Header when accessing through apache reverse proxy:

cache-control: private
content-encoding: gzip
content-length: 1218
content-type: text/html; charset=utf-8
date: Tue, 19 Mar 2019 21:33:12 GMT
server: Microsoft-IIS/8.5
set-cookie: LASTEST_REQUEST_TIME=1553034792436; path=/; secure; HttpOnly
status: 200
vary: Accept-Encoding
x-aspnet-version: 4.0.30319
x-content-type-options: nosniff
x-frame-options: sameorigin
x-powered-by: ASP.NET
x-ua-compatible: IE=10


GET header when accessing web server directly:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: .ASPXANONYMOUS...……………..; LASTEST_REQUEST_TIME=1553035041333; _gat_UA-11306486-23=1
Host: https://website.domain.org
Referer: 'https://website.domain.org/scripts/Welcome.aspx'
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36

GET header through Apache reverse proxy server:

:authority: onlinepermits.buncombecounty.org
:method: GET
:path: /CitizenAccess/Scripts/GlobalConst.aspx
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: .ASPXANONYMOUS...……………………….; LASTEST_REQUEST_TIME=1553034792295
referer: 'https://website.domain.org/scripts/Welcome.aspx'
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36



Apache Virtual Host Configuration:

#vhost reverse proxy
<VirtualHost *:443>
ServerName website.domain.org
ProxyPreserveHost on
ProxyRequests off
ProxyVia off
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateKeyFile /etc/ssl/private/priv.key
ProxyPassReverse / https://website.domain.org/
ProxyPass / https://website.domain.org/


*** changed domain names and URIs ***

[mokfarg]

The backend server being proxied is a vendor server that is presenting a script with an aspx extension. When accessing the webserver directly it does not set a x-content-type nosniff header. I had the Apache reverse proxy server set to provide this security header preventing the client browser from "sniffing" the MIME type.

I hope this helps someone.