[API] Provide correct MIME type when getting a raw text file

[danielappelt]

• Gitea version (or commit ref): 1.10.0+dev-274-g3fd0eec90
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

When fetching a raw text file via the API the content type header does not reflect the file's MIME type.
https://try.gitea.io/api/v1/repos/go-gitea/gitea/raw/public/js/draw.js

Content-Type: text/plain; charset=utf-8

Expected result would be:

Content-Type: application/javascript

When fetching an image file via the API, the content type seems to be set correctly though:
https://try.gitea.io/api/v1/repos/go-gitea/gitea/raw/public/img/404.png

Content-Type: image/png

This is related to issue #7620.

[silverwind]

There are security implications when serving scripts with the proper mime type because that allow browser to load them from <script> tags. If this is implemented, I suggest making the behaviour optional and default off. GitHub also serves as text/plain, FWIW:

$ curl -v https://raw.githubusercontent.com/go-gitea/gitea/master/web_src/js/jquery.js |& grep -i content-type
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff

[silverwind]

I think we should keep to generic mime types, e.g. text/plain and application/octet-stream for binary data which also matches GitHub's behaviour. SVG is an acceptable exception because we use that on the gitea UI and we serve it with security headers in place.

We could expose a user-configurable config section where they can add their mime type mapping to allow them to serve custom mime types (and potentially lower their security).

[download.mimetype.mapping]
.apk=application/vnd.android.package-archive
.js=application/javascript

[szatyinadam]

Can anyone check the PR for this issue? #15133