I have a library that I would like to try in JSFiddle , for example, Marked , a markdown parser and compiler. But I cannot by hotlinking the minified JavaScript file directly:
1
<script src ="https://raw.githubusercontent.com/chjj/marked/master/marked.min.js" > </script >
Error:
Refused to execute script from ‘https://raw.githubusercontent.com/chjj/marked/master/marked.min.js ‘ because its MIME type (‘text/plain’) is not executable, and strict MIME type checking is enabled.
Double check the headers:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ curl -I https:
HTTP/1.1 200 OK
Server: Apache
Content-Security-Policy: default -src 'none'
Access-Control-Allow-Origin: https:
X-XSS-Protection: 1 ; mode=block
X-Frame-Options: deny
X-Content-Type -Options: nosniff
Strict -Transport-Security: max-age=31536000
Content-Type : text/plain; charset=utf-8
Cache-Control: max-age=300
Content-Length: 19160
Accept-Ranges: bytes
Via: 1.1 varnish
X-Served-By : cache-lax1429-LAX
X-Cache: MISS
X-Cache-Hits: 0
Vary: Authorization,Accept-Encoding
Source-Age: 0
The two headers that prevents hotlinking:
Content-Type is set to text/plain, we are expecting application/javascript.Access-Control-Allow-Origin is not set to *, which prevents AJAX request.
The solution is to proxy the file by running your own server, or use RawGit :
1
2
3
4
5
6
7
8
9
10
11
12
13
$ curl -I https://rawgit.com/chjj/marked/master/marked.min.js
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options : nosniff
X-Robots-Tag: none
RawGit-Naughtiness: 0
Access-Control -Allow-Origin: *
Cache-Control : max-age=300
Vary: Accept-Encoding
RawGit-Cache-Status: MISS
The Content-Type has been updated to application/javascript and the CORS restricted has been relaxed via Access-Control-Allow-Origin.
Problem sovled and the fiddle works as expect: