Issue #3035 wontfix

Content-type of raw view of HTML files in a repository

Yung-Yu Chen
created an issue

In the past the raw view of a HTML file in a repository can be shown as a valid web page in browser. In this way bitbucket can be used as a simple web page holder.

Since several weeks ago the content-type became text/plain instead of text/html. Could the content-type be changed back to text/html for HTML files?

Comments (7)

  1. Dylan Etkin

    I am afraid that setting the content type to text/html is a huge security hole. It opens our site up to XSS holes.

    We are not in the business of hosting HTML, just storing code.

    Cheers,

    Dylan

  2. Jason R. Coombs

    This would be an extremely useful feature for me. While the bulk of my project is code, I have a small web page that I use for working with the server the code represents. It would be most convenient to be able to load that page from the repository directly.

    I respect the issue regarding the XSS attack vector. Perhaps it would be possible to have a separate domain (e.g. http://static.bitbucket.org or http://bitbucket-static.org) which only allows static references to repository files, but can return relevant content types.

    I also respect that this issue has already been considered and marked 'wontfix', but I wanted to share this specific use-case for your consideration.

  3. thedillonb

    There is also abnormalities when requesting other types of information. If I request the raw data of a "png" file I get:

    Content-Type: text/plain; charset=utf-8

    which is incorrect since the png is not text...

  4. Pekka Klärck

    I noticed this with https://bitbucket.org/pekkaklarck/robotframeworklexer when the HTML example file I committed did not show correctly on the browser. I probably can put that into downloads but that makes updating the example pretty annoying.

    Interestingly Google Code does show raw files using the correct mime-type. GitHub doesn't, but there you have project specific GitHub pages where you can easily host all documentation/examples. In this comparison BitBucket loses pretty badly.

  5. mackyle

    What about allowing raw view to return the file using its correct mime type when accessed via a raw URL using http: rather than https:? This should avoid the XSS hole so long as all non-raw URLs continue to redirect from http: to https:.

    Some source projects have docs subdirectories and/or images that it would be most convenient to be able to view in rendered form without needing to first clone the repository. This is especially true when needing to look at various versions of a resource (particularly a binary resource such as an image) to see how it's been changed from one revision to the next.

  6. Log in to comment