Raw markup displayed in Chrome instead of SSO redirect - IdentityProvider.SendSAMLResponseByHTTPPost

Question

We are using ComponentSpace.SAML2.Profiles.SSOBrowser.IdentityProvider and calling SendSAMLResponseByHTTPPost to perform SSO and redirect a user to another URL.

This is working fine on IE and Firefox, but on Chrome the following is displayed in the browser

<html xmlns="http://www.w3.org/1999/xhtml">
    <body onload="document.forms.samlform.submit()">
        <noscript>
            <p><strong>Note:</strong> Since your browser does not support Javascript, you must press the Continue button once to proceed.</p>
        </noscript>
        <form id="samlform" action="https://REDACTED URL" method="post">
        <div>
            <input type="hidden" name="SAMLResponse" value="REDACTED SAMLResponse"/>
            <input type="hidden" name="RelayState" value="https://REDACTED URL"/>
        </div>
        <noscript>
            <div><input type="submit" value="Continue"/></div>
        </noscript>
        </form>
    </body>
</html>

This is working on Chrome in a local environment with the same code.

There are some SSL certificate issues on the environment where we are experiencing the problem. Not sure if this could be related - is Chrome is more strict about this than other browsers?

Answer 1

This is because a header "x-content-type-options: nosniff" was present which prevents Chrome from determining the MIME type on its own. Explicitly adding a Content-Type header resolved the issue. https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Answer 2

Thanks for the information.

We haven't seen that with Chrome or any other browser.

Tracing the HTTP traffic I see that the following header is included:

Content-Type: text/html; charset=utf-8

I wonder if in your scenario an intermediate node has stripped this header?