drive/driveimpl: rewrite text/html Content-Type to text/plain

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.

https://tailscale.com

BSD 3-Clause "New" or "Revised" License

16.89k stars 1.28k forks source link

drive/driveimpl: rewrite text/html Content-Type to text/plain #11917

Closed oxtoacart closed 2 weeks ago

oxtoacart commented 3 weeks ago

This prevents Taildrive from being able to serve HTML content, thereby preventing it from being used to distribute malicious JavaScript.

Updates tailscale/corp#19592

oxtoacart commented 2 weeks ago

It turns out that a lot of content types could result in content being parsed in such a way that JavaScript execution becomes possible. Since we ultimately can't control user-agents, this may not be something we can do anything about.