[API] Provide correct MIME type when getting a raw text file #3937

New Issue

Closed

opened 2025-11-02 05:31:08 -06:00 by GiteaMirror · 3 comments

GiteaMirror commented 2025-11-02 05:31:08 -06:00

Owner

Copy Link

Originally created by @danielappelt on GitHub (Sep 11, 2019).

• Gitea version (or commit ref): 1.10.0+dev-274-g3fd0eec90
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

When fetching a raw text file via the API the content type header does not reflect the file's MIME type.
https://try.gitea.io/api/v1/repos/go-gitea/gitea/raw/public/js/draw.js

Content-Type: text/plain; charset=utf-8

Expected result would be:

Content-Type: application/javascript

When fetching an image file via the API, the content type seems to be set correctly though:
https://try.gitea.io/api/v1/repos/go-gitea/gitea/raw/public/img/404.png

Content-Type: image/png

This is related to issue #7620.

Originally created by @danielappelt on GitHub (Sep 11, 2019). <!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue --> <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.10.0+dev-274-g3fd0eec90 - Can you reproduce the bug at https://try.gitea.io: - [X] Yes (provide example URL) - [ ] No - [ ] Not relevant ## Description When fetching a raw text file via the API the content type header does not reflect the file's MIME type. https://try.gitea.io/api/v1/repos/go-gitea/gitea/raw/public/js/draw.js `Content-Type: text/plain; charset=utf-8` Expected result would be: `Content-Type: application/javascript` When fetching an image file via the API, the content type seems to be set correctly though: https://try.gitea.io/api/v1/repos/go-gitea/gitea/raw/public/img/404.png `Content-Type: image/png` This is related to issue #7620.

GiteaMirror added the type/proposaltopic/security labels 2025-11-02 05:31:08 -06:00

GiteaMirror closed this issue 2025-11-02 05:31:09 -06:00

GiteaMirror commented 2025-11-02 05:31:09 -06:00

Author

Owner

Copy Link

@silverwind commented on GitHub (Apr 6, 2021):

There are security implications when serving scripts with the proper mime type because that allow browser to load them from <script> tags. If this is implemented, I suggest making the behaviour optional and default off. GitHub also serves as text/plain, FWIW:

$ curl -v https://raw.githubusercontent.com/go-gitea/gitea/master/web_src/js/jquery.js |& grep -i content-type
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff

@silverwind commented on GitHub (Apr 6, 2021): There are security implications when serving scripts with the proper mime type because that allow browser to load them from `<script>` tags. If this is implemented, I suggest making the behaviour optional and default off. GitHub also serves as `text/plain`, FWIW: ```bash $ curl -v https://raw.githubusercontent.com/go-gitea/gitea/master/web_src/js/jquery.js |& grep -i content-type < content-type: text/plain; charset=utf-8 < x-content-type-options: nosniff

GiteaMirror commented 2025-11-02 05:31:09 -06:00

Author

Owner

Copy Link

@silverwind commented on GitHub (Apr 14, 2021):

I think we should keep to generic mime types, e.g. text/plain and application/octet-stream for binary data which also matches GitHub's behaviour. SVG is an acceptable exception because we use that on the gitea UI and we serve it with security headers in place.

We could expose a user-configurable config section where they can add their mime type mapping to allow them to serve custom mime types (and potentially lower their security).

[download.mimetype.mapping]
.apk=application/vnd.android.package-archive
.js=application/javascript

@silverwind commented on GitHub (Apr 14, 2021): I think we should keep to generic mime types, e.g. `text/plain` and `application/octet-stream` for binary data which also matches GitHub's behaviour. SVG is an acceptable exception because we use that on the gitea UI and we serve it with security headers in place. We could expose a user-configurable config section where they can add their mime type mapping to allow them to serve custom mime types (and potentially lower their security). ```ini [download.mimetype.mapping] .apk=application/vnd.android.package-archive .js=application/javascript ```

GiteaMirror commented 2025-11-02 05:31:10 -06:00

Author

Owner

Copy Link

@szatyinadam commented on GitHub (May 9, 2021):

Can anyone check the PR for this issue? #15133

@szatyinadam commented on GitHub (May 9, 2021): Can anyone check the PR for this issue? #15133

GiteaMirror referenced this issue 2025-11-02 12:27:38 -06:00

[PR #3937] [CLOSED] Add redis built into Gitea in Docker image by default #17152

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/security type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#3937