net/http: Does DetectContentType support JavaScript?

mime-types http go content-negotiation

Solution 1:

As the doc comment notes, DetectContentType implements the algorithm described at https://mimesniff.spec.whatwg.org/, which does not detect JavaScript. The question then becomes: why doesn't it?

The answer is given in the introduction of the spec:

These security issues are most severe when an "honest" server allows potentially malicious users to upload their own files and then serves the contents of those files with a low-privilege MIME type. For example, if a server believes that the client will treat a contributed file as an image (and thus treat it as benign), but a user agent believes the content to be HTML (and thus privileged to execute any scripts contained therein), an attacker might be able to steal the user’s authentication credentials and mount other cross-site scripting attacks. (Malicious servers, of course, can specify an arbitrary MIME type in the Content-Type header field.)

This document describes a content sniffing algorithm that carefully balances the compatibility needs of user agent with the security constraints imposed by existing web content.

Labelling untrusted input as JavaScript when it's not (or even when it is!) could lead to security disasters.

Related

Cannot open mailbox /var/mail/USER: Permission denied No mail for USER
How can I save the view to sort by CPU usage?
set PCmanFM default folder view
Why does Ubuntu need to reboot so often?
How to discard saved password for samba share in unity?
Is it possible to assign shortcuts to launch applications?
Is there a Facebook messenger app
Horizontal scrolling in Firefox to Shift+Mouse Scroll (instead of Back/Forward)
Extra mouse buttons not working in virtualization (VMware/VirtualBox, ubuntu host)
How to turn off Software updater? (Xubuntu)
How to change the keyboard shortcut to take screenshots with Shutter?
Can I ignore files by pattern in deja-dup (Backup)?