No Content-Type or charset for simple text

[csabaxyz]

Hey, I just started validating micro in a new project, and I found this to be kind of an issue right off the bat.

The issue is kind of related to this one: https://github.com/zeit/micro/issues/296

If you take a simple example like this:

module.exports = (req, res) => {
  return '<h1>Hello World áéíóöőúüű</h1>'
}

The end result is going to look something like this:

Hello World áéíóöőúüű

This reminds me of the old-school UTF-7 hacks, that were possible because of the missing charset header: http://michaelthelin.se/security/2014/06/08/web-security-cross-site-scripting-attacks-using-utf-7.html

Also, if you set the:

res.setHeader('X-Content-Type-Options', 'nosniff')

Then the above return will show up as text and not html.

One solution could be something like what koa uses: https://github.com/koajs/koa/blob/281a04e8e12735300566b030d39eb277c8ad1e74/lib/response.js#L153-L158

What do you think?

[timneutkens]

I think forcing the charSet would be breaking for all existing implementations of micro 🤔

[timneutkens]

cc @rauchg @leo

[timneutkens]

Going to close this per my earlier comment.