Consider relaxing text/plain Content-Type downgrade in Workhorse
In https://gitlab.com/gitlab-org/gitlab/-/blob/dd1e70d3676891025534dc4a1e89ca9383178fe7/workhorse/internal/headers/content_headers.go#L66-70, Workhorse looks for MIME types of text/*
and downgrades them to text/plain
to prevent arbitrary HTML and JavaScript from running on the same domain:
// If the content is text type, we set to plain, because we don't
// want to render it inline if they're html or javascript
if isType(contentType, textTypeRegex) {
return textPlainContentType
}
#357078 (comment 1020474149) asks:
During that time we encountered a need to be able to preview some other files in browser alongside HTML, say Mardkown files, JSON or YAML files to check the build result or debug it. While we can switch to Pages to overcome HTML rendering is there a way to enable preview for artifacts in the browser for some other file types?
Proposal:
Relax the regex and allow a known list of "safe" types. The full list is in https://www.iana.org/assignments/media-types/media-types.xhtml#text.
-
text/yaml
(from https://www.freeformatter.com/mime-types-list.html, not in the official full list) -
text/json
: any issues with this? text/markdown
@dcouture @iamricecake @morefice What do you think?