tracker issue : CF-4200425

select a category, or use search below
(searches all categories and all time range)

HTML security header "X-Content-Type-Options: nosniff" breaks various '.gif' icons in CF admin w/ IE11

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): Chris D / Chris D ()

Created: 12/15/2017

Components: Administrator

Versions: 2016,11.0,2018

Failure Type: Usability Issue

Found In Build/Fixed In Build: CF 2016 Update 5 / 314554

Priority/Frequency: Normal / All users will encounter

Locale/System: / Win 2016

Vote Count: 0

Problem Description: Adding the HTML security header: 
X-Content-Type-Options: nosniff
will prevent Internet Explorer 11 from rendering various icons in the Coldfusion Administrator.
Evidently, these icons are of type "PNG" but have been renamed and referenced as type "GIF".
Example file: /CFIDE/administrator/images/idelete.gif  when attempted to save image shows up as idelete_gif.png

Steps to Reproduce:  
1. Add security header: "X-Content-Type-Options" with value "nosniff" to IIS site.
2. Logon to CF admin ( using Internet Explorer 11
3. Go to the Data Sources section.
4. Observe that the Edit, Verify, Delete icons do not appear.

Actual Result:
Various ".gif" icons do not appear in the Coldfusion administrator

Expected Result:
These icons should appear.  

Any Workarounds:
Remove the security header "X-Content-Type-Options: nosniff" for the IIS site configured for CF Admin.



Hi Chris, Can you re-verify and confirm the version of CF, because we do not support admin access from the connector port in CF2016. Also, I do see the issue happening on CF11. Thanks!
Comment by S P.
162 | December 19, 2017 04:04:21 AM GMT
Hi Preethi, Coldfusion 2016 Update 5. Also see it in our CF 11 Update 13 we're migrating away from. Yes, I'm using the connector for IIS in a dedicated site for CF Admin (had issues with Error Handler mappings not working with builtin webserver) but locked down as suggested in the lock down guide to just the local host. Thanks, Chris
Comment by Chris D.
163 | December 20, 2017 06:29:02 PM GMT