diff options
Diffstat (limited to 'workhorse/internal/headers/content_headers.go')
-rw-r--r-- | workhorse/internal/headers/content_headers.go | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/workhorse/internal/headers/content_headers.go b/workhorse/internal/headers/content_headers.go index 8cca3d97e82..854cc8abddd 100644 --- a/workhorse/internal/headers/content_headers.go +++ b/workhorse/internal/headers/content_headers.go @@ -43,6 +43,16 @@ const ( func SafeContentHeaders(data []byte, contentDisposition string) (string, string) { contentType := safeContentType(data) contentDisposition = safeContentDisposition(contentType, contentDisposition) + + // Set attachments to application/octet-stream since browsers can do + // a better job distinguishing certain types (for example: ZIP files + // vs. Microsoft .docx files). However, browsers may safely render SVGs even + // when Content-Disposition is an attachment but only if the SVG + // Content-Type is set. Note that scripts in an SVG file will only be executed + // if the file is downloaded separately with an inline Content-Disposition. + if attachmentRegex.MatchString(contentDisposition) && !isType(contentType, svgMimeTypeRegex) { + contentType = "application/octet-stream" + } return contentType, contentDisposition } |