IE9 script response blocked due to mime type mismatch

mapper picture mapper · May 13, 2011 · Viewed 24.9k times · Source

I use the following code snippet to load data from google fusion table as json.

var fileref = document.createElement("script");
fileref.setAttribute("type", "text/javascript");
fileref.setAttribute("src", "http://tables.googlelabs.com/api/query?sql=select * from 588320&hdrs=false&jsonCallback=LoadTable");

Works great in IE8, FF, Chrome, but now IE9 doesn't know how to handle the callback because the response and mime types don't match. IE9 reports the following script error when using jsonCallback param because it doesn't like the mime type.

SEC7112: Script from http://tables.googlelabs.com/api/query?sql=select * from 588320&hdrs=false&jsonCallback=LoadTable was blocked due to mime type mismatch.

Is there a workaround short of me having to host the src locally (or am I doing something wrong)?

Response Headers

Content-Type text/plain; charset=UTF-8 
Content-Encoding gzip 
Transfer-Encoding chunked 
Date Fri, 13 May 2011 02:19:11 GMT 
Expires Fri, 13 May 2011 02:19:11 GMT 
Cache-Control private, max-age=0 
X-Content-Type-Options nosniff 
X-Frame-Options SAMEORIGIN 
X-XSS-Protection 1; mode=block 
Server GSE 


Request Headers

Host tables.googlelabs.com 
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language en-us,en;q=0.5 
Accept-Encoding gzip, deflate 
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Keep-Alive 115 
Connection keep-alive 
Cache-Control max-age=0 

Answer

EricLaw picture EricLaw · May 13, 2011

The problem is that Google is sending an X-Content-Type-Options: nosniff declaration and returning a JavaScript file without a JavaScript MIME type. This can only be fixed by either removing the nosniff declaration or by fixing the MIME type to indicate that the file is, in fact, script.

http://blogs.msdn.com/b/ieinternals/archive/2010/09/27/ie9-beta-google-image-search-javascript-content-type-and-nosniff.aspx

I've sent mail to Google about this one.