bun icon indicating copy to clipboard operation
bun copied to clipboard

Published 20 hours ago verified publisher icon oven-sh

bun.sh/install should send `Content-Type: text/plain`, but sends `Content-Type: text/html`

Open mortie opened this issue 3 years ago • 1 comments

Affected URL(s)

https://bun.sh/install

Description of the problem

The "Show script source" button on the website links to https://bun.sh/install. This file is served with the HTTP header Content-Type: text/html. This means that web browsers try to render it as HTML, and you end up with an unreadable mess where all whitespace is collapsed into a single space. It should be served with Content-Type: text/plain to make browsers render it as plain text.

mortie avatar Aug 22 '22 14:08 mortie

I want to chime in here expand on why this is important and why, in my opinion, this should be given some priority to resolve.

Today, the top-line recommended way to install bun from *nix systems is to curl this install script and pipe it to your shell. You don't have to look around too much to find advice that doing this type of install is ill-advised if you don't implicitly trust the script author and the integrity of their servers.

The very minimum due diligence for a user intending to install via this script is to open up the script and read it prior to running in the shell, and since you're serving this file from the same domain as the website, and the link on the website opens up a tab with the script source to aid the user in trusting the author, the resulting page should be easily human readable (for any human that speaks some bash anyway).

The lack of typical script formatting on this webpage is a barrier to basic security due diligence, and that is in my opinion, a bad look for bun.

I don't know anything about the server setup for the Bun website in the slightest, so it's perhaps completely out of band to comment on the level of effort at all, but I would be kind of shocked to learn that changing the response content type for this route was a big lift.

For what it's worth, the yes, very simple workarounds for those interested in quickly seeing the formatted source of this script are to either:

  1. just curl https://bun.sh/install instead of visiting it in the browser
  2. read the source of the script at https://github.com/oven-sh/bun/blob/681f5a521f6bb8e3a5d1b0f7bff96cdb55984381/src/cli/install.sh

Again, this is just my two cents, and those two cents mostly speak to the optics of this bug, but I figured I would expand on the issue a bit with those two cents anyway :smile:

andrewbrey avatar Sep 17 '22 04:09 andrewbrey

Yes, we recognize it's important that the source is readable. Unfortunately, this is a limitation of GitHub pages, where we are currently hosting the docs. This will change soon and this will be fixed.

Electroid avatar Nov 03 '22 01:11 Electroid

The headers have been fixed, browsers will download it as an attachment, which is in-line with other install scripts.

< content-type: application/x-sh
< cf-ray: 81b5b5bf7faa679a-SJC
< cf-cache-status: DYNAMIC
< access-control-allow-origin: *
< age: 14230
< cache-control: public, max-age=0, must-revalidate
< content-disposition: inline; filename="install.sh"

Electroid avatar Oct 24 '23 22:10 Electroid