go: net/http: change Error to generate an HTML page

There is constant background noise about this web client or that web client mistakenly treating http.Error’s responses as HTML and therefore being subject to scripting attacks. This is awful, and depressing, and generally disgusting.

One way to eliminate the noise would be to change Error from sending back (approximately)

Content-Type: text/plain

<ERROR HERE>

to

Content-Type: text/html

<pre>
&lt;ERROR HERE&gt;

That is, if everyone is going to interpret the result as HTML, okay fine, let’s send (and correctly Content-Type) an actual HTML response with proper escaping of the message.

Anyone see any reasons not to do this? The only one I can think of is that it makes clients of API services that send back http.Error errors have to deal with the HTML, but as a writer of API service clients myself, most of the errors I see come back in HTML anyway, because they’re generated by some box in front of the API service.

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Reactions: 1
  • Comments: 18 (15 by maintainers)

Most upvoted comments

It looks like this only matters for ancient software. MSIE 8 and Adobe Flash are at least soon to be no longer with us. I retract this suggestion as infeasible / maybe no longer necessary.

+2
rsc on Nov 22, 2017
Read more comments on GitHub
← go: net/http: cannot set custom/special pseudo-headers when using HTTP/2
go: net/http: client does not send cookies if an intermediary request hits a different domain →