Shared publicly  - 
 
TL;DR: Serving script directly from `raw.github.org` is a Bad Idea™. Use GitHub Pages instead!

Support for blocking scripts that opt-in to strict MIME-type checking landed in Canary a few weeks back[1], matching the behavior of IE8, 9, and 10. This means that resources delivered with an `X-Content-Type-Options: nosniff` header will only execute if they're also delivered with an appropriate `Content-Type` header (`application/javascript`, for example). Web applications (especially those that accept user-controlled content) can use these headers to protect themselves from some interesting XSS injections that rely on otherwise unexecutable files being MIME-sniffed into JavaScript.

I like this change; it's good for security in a belts-and-braces sort of way.

One effect, however, is causing a bit of consternation[2]: GitHub serves resources from `raw.github.com` with `Content-Type: text/plain` and `X-Content-Type-Options: nosniff` headers; they don't actually want you using `raw.github.org` as a CDN. This change breaks pages that are loading script directly from a GitHub repo: you'll see errors like "Refused to execute script from '[URL]' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled."

GitHub (and I!) would very much prefer that you use Pages[3] to serve content. It's easier on their servers, it's very well supported by the tools they offer, and it will work in browsers that support `X-Content-Type-Options`.

[1]: http://trac.webkit.org/changeset/142683
[2]: https://code.google.com/p/chromium/issues/detail?id=180007
[3]: http://pages.github.com/
25
10
Alfredo Mungo's profile photoTrent Brown's profile photoMathias Bynens's profile photoAlejandro Penedo's profile photo
6 comments
 
+Mathias Bynens: Clever! Does that actually cache the resources, or does it just pass through to GitHub's backend? ... I guess I could just look at the source, couldn't I?
 
Looks like a straight passthrough. Not sure GitHub would be any happier about this solution, but it does look like a reasonable option for testing.

The problem, of course, is that folks often take these testing solutions and deploy them. :)
 
Glad this issue is getting some publicity. GitHub should also make a post on their blog.
 
Silly question maybe, but how do you use pages to reference files?
Add a comment...