-
Notifications
You must be signed in to change notification settings - Fork 18.3k
Description
There is constant background noise about this web client or that web client mistakenly treating http.Error's responses as HTML and therefore being subject to scripting attacks. This is awful, and depressing, and generally disgusting.
One way to eliminate the noise would be to change Error from sending back (approximately)
Content-Type: text/plain
<ERROR HERE>
to
Content-Type: text/html
<pre>
<ERROR HERE>
That is, if everyone is going to interpret the result as HTML, okay fine, let's send (and correctly Content-Type) an actual HTML response with proper escaping of the message.
Anyone see any reasons not to do this? The only one I can think of is that it makes clients of API services that send back http.Error errors have to deal with the HTML, but as a writer of API service clients myself, most of the errors I see come back in HTML anyway, because they're generated by some box in front of the API service.