On Thu, Jan 14, 2016 at 11:57 AM, John Keeping <j...@keeping.me.uk> wrote: > I wonder if we should just drop support for the "mimetype" query > parameter and see if anyone complains. In general, I would expect it to > be the server's responsibility to decide on the type of its output and > allowing the client to override it seems like a problem in general.
Agreed here. We still have the other issue of git repos containing valid html with malicious scripts and whatnot, though. Can we simply kill the feature of allowing HTML to be served from cgit? This would indeed fix the security issue in the best way. But would folks complain? _______________________________________________ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
