Mantis - Resin
Viewing Issue Advanced Details
6237 feature always 05-07-19 08:57 06-26-19 13:38
stbu  
ferg  
normal  
closed 4.0.61  
fixed  
none    
none 4.0.63  
0006237: Feature-Request: Add a configurable default-value for Content-Type to FileServlet
TL;DR: A resin configuration option to improve Security regarding Cross Site Scripting with a default MIME-Type.

Current Behavior:
Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the HTTP Response will *not* have a Content-Type Header.

Desired Behavior:
Define a default mime type value like "text/plain" in resin.xml
Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the default-mime-type value is used in the HTTP Response Header Content-Type.


Background:
Unfortunately Browsers like Firefox or Edge will render a file as HTML if it contains HTML and does *not* have a Content-Type header advising different.

See also: https://www.youtube.com/watch?v=dBJt3eR8-bg [^] (12 Minute Video, titled "Fun with Apache and MIME types - Hanno Böck")

Note: W3C Standard Authoritative Metadata says:
 "Server Managers (webmasters) SHOULD NOT specify an arbitrary Internet media type (e.g. "text/plain" or "application/octet-stream") when the media type is unknown. It is better to send no media type if the resource owner has failed to define one for a given representation."
=> Therefore it is a standard to enable Cross Site Scripting.

But Software doesn't have to follow stupid standards!


Suggestion for com.caucho.servlets.FileServlet:
Somewhere around line 434:

    if (mime != null) {
      res.setContentType(mime);
    }
+ else if (defaultMimeType != null) {
+ res.setContentType(defaultMimeType);
+ }

And defaultMimeType is retrieved from a new resin configuration option or maybe a new Servlet InitParameter in app-default.xml

Notes
(0006906)
ferg   
06-26-19 13:38   
server/1978