none
SharePoint 2019 Response Headers are mixed up. RRS feed

  • Question

  • Hi,

    The response headers of a request to a page in SharePoint 2019 seems to be mixed up.

    New SharePoint 2019 Standard farm -> new team site.

    Web.config contains the following (untouched, not modified):

      <system.webServer>
        <httpProtocol>
          <customHeaders>
            <add name="X-Content-Type-Options" value="nosniff" />
            <add name="X-MS-InvokeApp" value="1; RequireReadOnly" />
          </customHeaders>
        </httpProtocol>

    The response headers of a request to a page:

    HTTP/1.1 200 OK
    Cache-Control: private
    Transfer-Encoding: chunked
    Content-Type: text/html
    Content-Encoding: gzip
    Vary: Accept-Encoding
    Server: Microsoft-IIS/10.0
    X-SharePointHealthScore: 0
    Content-Security-Policy-Report-Only: script-src 'strict-dynamic' 'unsafe-eval' 'nonce-6fa6ac4e-4209-4542-ab4c-19aa87b91c8f' ; report-uri https://spdev2019-62-4:8000/_layouts/15/CSPReporting.aspx
    X-AspNet-Version: 4.0.30319
    SPRequestGuid: 9248a09e-d793-3037-b0bc-aa1d53361741
    request-id: 9248a09e-d793-3037-b0bc-aa1d53361741
    Set-Cookie: https%3A%2F%2Fspdev2019%2D62%2D4%3A8000%2FDiscovery=WorkspaceSiteName=SG9tZQ==&WorkspaceSiteUrl=aHR0cHM6Ly9zcGRldjIwMTktNjItNDo4MDAw&WorkspaceSiteTime=MjAxOC0xMS0wOFQwODowNzowOA==; expires=Sat, 08-Dec-2018 08:07:08 GMT; path=/_vti_bin/Discovery.asmx; secure
    X-Powered-By: nosniff
    MicrosoftSharePointTeamServices: 16.0.0.10337: 1; RequireReadOnly
    Date: Thu, 08 Nov 2018 08:07:08 GMT

    The response contains

    X-Powered-By: nosniff

    The value listed by the 'X-Content-Type-Options' header from web.config.

    The 'X-Content-Type-Options' header defined in web.config itself is not added.

    Adding another header like

      <system.webServer>
        <httpProtocol>
          <customHeaders>
            <add name="X-Content-Type-Options" value="nosniff" />
            <add name="X-MS-InvokeApp" value="1; RequireReadOnly" />
            <add name="X-Test" value="Test" />
          </customHeaders>
        </httpProtocol>

    And the response headers become

    HTTP/1.1 200 OK
    Cache-Control: private
    Transfer-Encoding: chunked
    Content-Type: text/html
    Content-Encoding: gzip
    Vary: Accept-Encoding
    Server: Microsoft-IIS/10.0
    X-SharePointHealthScore: 0
    Content-Security-Policy-Report-Only: script-src 'strict-dynamic' 'unsafe-eval' 'nonce-0b49ce45-9108-4195-a1aa-c41d00ff4d24' ; report-uri https://spdev2019-62-4:8000/_layouts/15/CSPReporting.aspx
    X-AspNet-Version: 4.0.30319
    SPRequestGuid: 0249a09e-a7a1-3037-b0bc-aac4c75d58cd
    request-id: 0249a09e-a7a1-3037-b0bc-aac4c75d58cd
    Set-Cookie: https%3A%2F%2Fspdev2019%2D62%2D4%3A8000%2FDiscovery=WorkspaceSiteName=SG9tZQ==&WorkspaceSiteUrl=aHR0cHM6Ly9zcGRldjIwMTktNjItNDo4MDAw&WorkspaceSiteTime=MjAxOC0xMS0wOFQwODoxNDo1MQ==; expires=Sat, 08-Dec-2018 08:14:51 GMT; path=/_vti_bin/Discovery.asmx; secure
    Persistent-Auth: true
    X-Powered-By: nosniff
    MicrosoftSharePointTeamServices: 16.0.0.10337: 1; RequireReadOnly
    X-Content-Type-Options: Test
    Date: Thu, 08 Nov 2018 08:14:51 GMT

    The response headers now contain:

    X-Content-Type-Options: Test


    It seems that SharePoint 2019 does something with response headers, and they are all mixed up.

    Thursday, November 8, 2018 8:25 AM

All replies

  • Interesting… Can you see how this compares to 2016? Also, what version of Windows are you running (IIS Version)?

    Mike Lee

    Thursday, November 8, 2018 4:17 PM
  • :)
    Server: Microsoft-IIS/10.0

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, November 8, 2018 4:42 PM
  • Interesting… Can you see how this compares to 2016? Also, what version of Windows are you running (IIS Version)?

    Mike Lee

    In SharePoint 2016 it works as expected.

          <customHeaders>
            <add name="X-Content-Type-Options" value="nosniff" />
            <add name="X-MS-InvokeApp" value="1; RequireReadOnly" />
            <add name="X-Test" value="Test" />
          </customHeaders>

    Response headers:

    HTTP/1.1 200 OK
    Cache-Control: private, max-age=86400
    Content-Type: text/html; charset=utf-8
    Expires: Fri, 09 Nov 2018 18:41:46 GMT
    Server: Microsoft-IIS/10.0
    X-SharePointHealthScore: 0
    X-AspNet-Version: 4.0.30319
    SPRequestGuid: e26ca09e-78eb-a083-f247-a5300813aa05
    request-id: e26ca09e-78eb-a083-f247-a5300813aa05
    X-FRAME-OPTIONS: SAMEORIGIN
    SPRequestDuration: 17
    SPIisLatency: 0
    X-Powered-By: ASP.NET
    MicrosoftSharePointTeamServices: 16.0.0.4717
    X-Content-Type-Options: nosniff
    X-MS-InvokeApp: 1; RequireReadOnly
    X-Test: Test
    Date: Thu, 08 Nov 2018 18:41:46 GMT
    Content-Length: 20519

    Thursday, November 8, 2018 6:45 PM
  • Also, what version of Windows are you running (IIS Version)?
    Tested it on Windows Server 2016 and 2019, same result.
    Thursday, November 8, 2018 6:48 PM
  • Hi MS,

    Any news regarding this issue? We face the same problem here!

    regards,

    Ruud

    Monday, November 26, 2018 9:28 AM
  • Ill test this in my lab today and let you know if I'm able to reproduce it.

    Mike Lee

    Monday, November 26, 2018 2:19 PM
  • Ok it looks like there is something here that requires further investigation. 

    I will make our product group aware of this issue and update this thread.

    Thanks for brining this to our attention.

    Regards,


    Mike Lee

    Monday, November 26, 2018 7:09 PM
  • Looks like we will fix this issue in a future patch. In the meantime, you can fix it manually in IIS to match the 2016 settings (with the updated "MicrosoftSharePointTeamServices" version.

    Regards,


    Mike Lee

    Tuesday, November 27, 2018 8:21 PM
  • I have another forum item up due to not being able to open up SP2019 site in Edge. Could these be related? IE11 & Chrome work fine...Edge just goes catatonic.

    Thursday, January 31, 2019 2:31 PM
  • well...just tried again today and it DID open the page up...but did not sign me in automatically (like IE & Chrome - I put the site in the Trusted list via Group Policy)

    weird

    Thursday, January 31, 2019 2:33 PM
  • Confirmed that this is still an issue in the latest update for SharePoint 2019. Is this on the backlog to be fixed or are we going to have to keep manually correcting this bug?
    Wednesday, September 25, 2019 4:17 PM
  • Just ran into this issue and escalated via Premier Services--the fix is now supposed to be included in the November 2019 CU.  The mismatch caused documents accessed via links to download to appdata using Edge instead of opening connected to SharePoint.
    Thursday, November 7, 2019 4:23 PM
  • The fix for the HTTP header corruption issue is now available in the November 2019 Public Update for SharePoint Server 2019:

    This security update contains improvements and fixes for the following nonsecurity issues:

    • Corrects an issue in which certain HTTP headers are malformed in responses from SharePoint.


    Remember to install both the core update and the language pack/MUI update together.

    4484142 Description of the security update for SharePoint Server 2019: November 12, 2019
    4484149 Description of the security update for SharePoint Server 2019 Language Pack: November 12, 2019

    - Troy Starr [MSFT]


    Wednesday, November 13, 2019 5:54 AM