Opened at 2013-12-02T17:22:33Z
Last modified at 2013-12-07T04:10:23Z
#2126 new defect
send application/json content-type for JSON response
| Reported by: | freddyb | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.10.0 |
| Keywords: | json http mime standards webapi | Cc: | |
| Launchpad Bug: |
Description
Multiple files in the web directory contain the line inevow.IRequest(ctx).setHeader("content-type", "text/plain") for JSON responses. The correct type would be application/json.
I guess this is a minor issue, though content-type confusions have caused XSS for users of Internet Explorer (though mostly when it incorrectly guesses an HTML type, I don't know if this applies with text/plain already given)
Change History (2)
comment:1 Changed at 2013-12-03T00:05:15Z by daira
comment:2 Changed at 2013-12-07T04:10:23Z by daira
- Component changed from website to code-frontend-web
- Keywords json http mime standards webapi added
Note: See
TracTickets for help on using
tickets.
text/plain is more likely to trigger MIME type guessing than application/$FOO (unless $FOO = octet-string), because of the prevalence of servers that use text/plain as a default when they don't know. However, Internet Explorer is generally guessing-happy unless you specifically use headers to ask it not to be.