Proxy GitHub Files for Hotlinking

I have a library that I would like to try in JSFiddle, for example, Marked, a markdown parser and compiler. But I cannot by hotlinking the minified JavaScript file directly:

1
<script src="https://raw.githubusercontent.com/chjj/marked/master/marked.min.js"></script>

Error:

Refused to execute script from ‘https://raw.githubusercontent.com/chjj/marked/master/marked.min.js‘ because its MIME type (‘text/plain’) is not executable, and strict MIME type checking is enabled.

Double check the headers:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ curl -I https://raw.githubusercontent.com/chjj/marked/master/marked.min.js
HTTP/1.1 200 OK
Server: Apache
Content-Security-Policy: default-src 'none'
Access-Control-Allow-Origin: https://render.githubusercontent.com
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
Content-Length: 19160
Accept-Ranges: bytes
Via: 1.1 varnish
X-Served-By: cache-lax1429-LAX
X-Cache: MISS
X-Cache-Hits: 0
Vary: Authorization,Accept-Encoding
Source-Age: 0

The two headers that prevents hotlinking:

  • Content-Type is set to text/plain, we are expecting application/javascript.
  • Access-Control-Allow-Origin is not set to *, which prevents AJAX request.

The solution is to proxy the file by running your own server, or use RawGit:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ curl -I https://rawgit.com/chjj/marked/master/marked.min.js
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Robots-Tag: none
RawGit-Naughtiness: 0
Access-Control-Allow-Origin: *
Cache-Control: max-age=300
Vary: Accept-Encoding
RawGit-Cache-Status: MISS

The Content-Type has been updated to application/javascript and the CORS restricted has been relaxed via Access-Control-Allow-Origin.

Problem sovled and the fiddle works as expect: