Currently, the way we infer the content type of uploads is pretty curde, it's done by file extension. Instead we should do the following.
During upload actually look at file headers to decide on a content type.
Set the download property on the file download links except maybe for images, videos and PDFs. In particular, we shouldn't serve HTML document as-is; displayed in the browser they could steal cookies.
Currently, the way we infer the content type of uploads is pretty curde, it's done by file extension. Instead we should do the following.
download
property on the file download links except maybe for images, videos and PDFs. In particular, we shouldn't serve HTML document as-is; displayed in the browser they could steal cookies.