Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-03-23 11:34:09 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Explain why trusting use content type is fine

Browse source 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
This commit is contained in:
Kévin Commaille 2024-08-23 12:32:38 +02:00
parent abee907590
commit c4d280542a
No known key found for this signature in database
GPG key ID: 0C971D9DBC9D678D
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
content/client-server-api/modules/content_repo.md
View file

@ -204,7 +204,12 @@ one of the following values when serving content with `Content-Disposition: inli
* `audio/flac`
* `audio/x-flac`
These types are unlikely to cause Cross-Site Scripting issues within clients.
These types are unlikely to cause Cross-Site Scripting issues when a `Content-Type`
header is provided, as clients will only try to render the data using that content
type. For example, if a HTML file is uploaded with a `Content-Type` of `image/png`,
clients will just assume that the image is corrupted, and won't render it as a
HTML page. Therefore, there is no risk in trusting the user-defined content type,
as long as the `Content-Disposition` is calculated based on that type.
Clients SHOULD NOT rely on servers returning `inline` rather than `attachment`
on `/download`. Server implementations might decide out of an abundance of