undefined | Better HN

0 pointssvens_1mo ago0 comments

This assumption has unfortunately led to countless security issues, at least in the past. The nosniff header (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), was created because of this and should be added.

While this probably works, you should also add a restrictive CSP (using the sandbox directive).

Forcing the download (via Content-Disposition header) would likely be even better, but it is annoying for users.

0 comments

cxr1mo ago

Replying to this comment because though it's vague in specifics it reads as authoritative and knowledgeable. In reality, it confuses/conflates multiple things.

Serving HTML source as text/plain is safe. No browser capable of understanding CSP is going to be at risk of anything that CSP would actually protect against in this case.

j / k navigate · click thread line to collapse

0 pointssvens_1mo ago0 comments

While this probably works, you should also add a restrictive CSP (using the sandbox directive).

Forcing the download (via Content-Disposition header) would likely be even better, but it is annoying for users.

0 comments

cxr1mo ago

Replying to this comment because though it's vague in specifics it reads as authoritative and knowledgeable. In reality, it confuses/conflates multiple things.

Serving HTML source as text/plain is safe. No browser capable of understanding CSP is going to be at risk of anything that CSP would actually protect against in this case.

j / k navigate · click thread line to collapse