Use application/octet-stream as Content-Type for files in CI artifacts (!63273) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-simplify-artifacts-content-type into master Jun 04, 2021

This eliminates the need for Workhorse to set Content-Type by guessing based on file extension.

If Content-Disposition is attachment, the browser will prompt the user for an action. In Chrome, the user is always prompted to save the file, and the filename extension in the Content-Disposition header determines the saved file's default extension. Chrome appears to ignore Content-Type if Content-Disposition is an attachment.

In Firefox, the user is prompted with two options: save the file, or open it with a program. Again, the filename extension in the Content-Disposition header determines the saved file's default extension. In addition, this extension is used to guess which default program should open the file. If the extension isn't present, Firefox falls back to Content-Type.

Safari combines both approaches. Like Chrome, it only prompts the user to save the file. Like Firefox, it falls back to the extension provided in Content-Type if the Content-Disposition filename is not present.

Hence, Workhorse's setting of Content-Type based on extension provides no additional information and may even be a security risk if the Content-Disposition is subverted.

Edited Jun 04, 2021 by Stan Hu

Use application/octet-stream as Content-Type for files in CI artifacts

Merge request reports