> If we are worried about XSS, why not start by having raw just return
> everything as application/octet-stream until we figure out how to
> protect against it?
Because we already have /download/ for that. This is about displaying content in the browser.
> If we are worried about XSS, why not start by having raw just return octet-stream until we figure out how to
> everything as application/
> protect against it?
Because we already have /download/ for that. This is about displaying content in the browser.