Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Chrome display garbage characters in Oracle Object Storage

See original GitHub issue

反代目标为我的甲骨文对象存储网址：a0.compat.objectstorage.us-phoenix-1.oraclecloud.com 反代目标目录：/US 因为甲骨文对象存储不支持防盗链，因此我准备使用cloudflare的cf worker来反代实现防盗链

目标文件链接： https://a0.compat.objectstorage.us-phoenix-1.oraclecloud.com/US/%E8%A7%86%E9%A2%91/%E3%80%8A%E6%88%91%E7%9A%84%E4%B8%89%E4%BD%93%E3%80%8B%20%E4%BC%AA%EF%BC%88zhong%EF%BC%89%E5%89%A7%EF%BC%88%E7%BA%A7%EF%BC%89%E5%9C%BA%EF%BC%88pian%EF%BC%89%E7%89%88.flv

worker域名：a.b.workers.dev

生成的域名： https://a.b.workers.dev/%E8%A7%86%E9%A2%91/%E3%80%8A%E6%88%91%E7%9A%84%E4%B8%89%E4%BD%93%E3%80%8B%20%E4%BC%AA%EF%BC%88zhong%EF%BC%89%E5%89%A7%EF%BC%88%E7%BA%A7%EF%BC%89%E5%9C%BA%EF%BC%88pian%EF%BC%89%E7%89%88.flv

调试阶段提示：

Uncaught (in promise) TypeError: Cannot read property 'includes' of null
    at fetchAndApply (worker.js:103)
fetchAndApply @ worker.js:103
Promise.catch (async)
(anonymous) @ worker.js:29
Uncaught (in response) TypeError: Cannot read property 'includes' of null

浏览器访问提示Error 1101：

对象存储目录树为：

很奇怪，只有/视频/《我的三体》伪（zhong）剧（级）场（pian）版.flv出现这个问题，其他文件我修改文件名，也放到中文目录，加特殊字符，都不会复现，只有这个文件可以复现。

直接用对象存储直链可下载，文件应该没问题。

为了您方便调试，我这个文件就留在这供您测试吧，您调试好后我再删掉。

Issue Analytics

State:
Created 3 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

3reactions

liberty-songcommented, May 8, 2020

已经解决. 造成问题的原因是甲骨文对象存储在 Response Header 中没有提供该文件的 “content-type”, Cloudflare 的 No-Sniff Header 功能禁止 Chrome 主动判断文件类型. (Chrome 无法识别该文件为视频文件, 所以无法下载)

解决方法:

进入 Cloudflare 对应域名的 SSL/TLS 设置

HTTP Strict Transport Security (HSTS) 选择 Change HSTS Settings

No-Sniff Header 设置为 Off

测试链接 (https://cdn.reverse-proxy.live)

感谢解答. 我也遇到了这个问题, 原来是 CloudFlare 配置出错了.

0reactions

xiaoyang-sdecommented, May 8, 2020

3. No-Sniff Header

这个设置的用途是防止两项攻击, 但是甲骨文对象储存不返回 content-type, 只能让浏览器自行判断.

Attacks Countered

MIME Confusion Attack enables attacks via user generated content sites by allowing users uploading malicious code that is then executed by browsers which will interpret the files using alternate content types, e.g. implicit application/javascript vs. explicit text/plain. This can result in a “drive-by download” attack which is a common attack vector for phishing. Sites that host user generated content should use this header to protect their users. This is mentioned by VeraCode and OWASP which says the following:

This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.

Unauthorized Hotlinking can also be enabled by Content-Type sniffing. By hotlinking to sites with resources for one purpose, e.g. viewing, apps can rely on content-type sniffing and generate a lot of traffic on sites for another purpose where it may be against their terms of service, e.g. GitHub displays JavaScript code for viewing, but not for execution:

Some pesky non-human users (namely computers) have taken to “hotlinking” assets via the raw view feature – using the raw URL as the src for a <script> or tag. The problem is that these are not static assets. The raw file view, like any other view in a Rails app, must be rendered before being returned to the user. This quickly adds up to a big toll on performance. In the past we’ve been forced to block popular content served this way because it put excessive strain on our servers.