This article documents a known issue with PNG files that are uploaded to Document Library not displaying in IE11 with a DOM7009: Unable to decode image at URL in the console.
As a security measure, and to prevent malicious scripts from being executed in browsers, Liferay sends the X-Content-Type-Options: nosniff HTTP header to protect against MIME sniffing.
Default value in system.properties:
# Set this to true for the portal to send the "X-Content-Type-Options: # nosniff" HTTP header to protect against MIME sniffing. Custom URLs can # specified in the property # "http.header.secure.x.content.type.options.urls.excludes" that allow for # unhindered MIME sniffing. # http.header.secure.x.content.type.options=true
This behavior is known, and intended, since Internet Explorer 8 (according to Microsoft's documentation).
To summarize, the script and styleSheet elements will reject responses with incorrect MIME types if the server sends the response header X-Content-Type-Options: nosniff.
Resolution
There are two options to resolve this behavior. Please be aware of the potential risks that are at hand when either of these two options are being set and proceed at your own discretion:
Option 1
Disable X-Content-Type-Options: nosniff being sent from Liferay
- In your system-ext.properties set
http.header.secure.x.content.type.options=false - Save the file
- Restart the server
Option 2
Define the exact URLs that will allow for unhindered MIME sniffing:
- In the system-ext.properties file, set comma-deliminted URL prefixes that allow for unhindered MIME sniffing as seen in the default property in system.properties:
# Set a list of comma delimited URL prefixes that allow for unhindered # MIME sniffing. This property is only used when the property # "http.header.secure.x.content.type.options" is set to true. # http.header.secure.x.content.type.options.urls.excludes=
- Save the file
- Restart the server