Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-11558

Content-Type header is not set in HTTP response for directory resource in servlet directory-listing feature

    XMLWordPrintable

Details

    • Hide
      1. unzip wildfly and start: ./bin/standalone.sh
      2. connect to CLI: ./bin/jboss-cli.sh -c
      3. deploy attached simple war app with example directory - helloworld-html5.war
      4. enable directory-listing: 
        /subsystem=undertow/servlet-container=default:write-attribute(name=directory-listing,value=true)
reload
      5. perform request via browser to http://localhost:8080/helloworld-html5/css - page is rendered correctly with js and css styles downloaded properly
      6. configure X-Content-Type-Options header and enable directory-listing 
        /subsystem=undertow/configuration=filter/response-header=x-content:add(header-name=X-Content-Type-Options,header-value=nosniff)
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-content:add()
      7. perform same request again and see that js and css styles have not been downloaded due to the css directory resource has been rendered as a raw text instead of html code.
      Show
      unzip wildfly and start: ./bin/standalone.sh connect to CLI: ./bin/jboss-cli.sh -c deploy attached simple war app with example directory - helloworld-html5.war enable directory-listing: /subsystem=undertow/servlet-container= default :write-attribute(name=directory-listing,value= true ) reload perform request via browser to http://localhost:8080/helloworld-html5/css - page is rendered correctly with js and css styles downloaded properly configure X-Content-Type-Options header and enable directory-listing /subsystem=undertow/configuration=filter/response-header=x-content:add(header-name=X-Content-Type-Options,header-value=nosniff) /subsystem=undertow/server= default -server/host= default -host/filter-ref=x-content:add() perform same request again and see that js and css styles have not been downloaded due to the css directory resource has been rendered as a raw text instead of html code.

    Description

      DefaultServlet does not set Content-Type HTTP header in response for the directory resource when directory-listing feature is enabled.

      As browsers apparently try to guess appropriate Content-Type of the downloaded resource, this problem is not spotted unless in combination with X-Content-Type-Options header is present in the HTTP response too. This header effectively discourages browser to guess the Content-Type of the resource.

      Output for directory-listing request in attached reproducer helloworld-html5.war:

      $ curl -v http://127.0.0.1:8080/helloworld-html5/css/  >/dev/null 
*   Trying 127.0.0.1...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /helloworld-html5/css/ HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.59.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Length: 824
< Date: Fri, 04 Jan 2019 14:32:46 GMT
< 
{ [824 bytes data]
100   824  100   824    0     0   804k      0 --:--:-- --:--:-- --:--:--  804k
* Connection #0 to host 127.0.0.1 left intact

      Notice that there is no Content-Type header in HTTP response.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1472 Content-Type header is not set in HTTP response for directory resource in servlet directory-listing feature

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-16153 (7.2.z) UNDERTOW-1472 - Content-Type header is not set in HTTP response for directory resource in servlet directory-listing feature

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-11637 Upgrade WildFly Core 8.0.0.Beta3

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-4280 Undertow upgrade from 2.0.15.Final to 2.0.17.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: