I'm playing around with server/backend dev. mostly with ktor at the moment. i basicallty just generated a project and am outputting a raw string of json. I didn't update the headers to specify json even though it does return json. just out of curiosity, would most things still work fine (like a consuming app or web app)? or are response content type headers like critically important to the client?

It depends, but it's usually a good decision to send back the correct response headers.

yeah. i definitely will update it. but was just kinda curious if anyone more experienced with backend dev just kinda knew if it like breaks everything or what.

I think it kind of puts you in undefined territory so there's no telling what might happen since it depends on the implementation

browsers have had varying implementations of content type sniffing

yeah. thats what it seems like. my first task i suppose is to figure out how to return proper headers with ktor. lol. should be a piece of cake. but anyway. im havin fun. is this what not being burnt out feels like? lmaoooo

which has long been a source of security issues on the web so you should avoid it

wait ...? are you saying that i shouldn't set content type headers, or are you saying that i shouldn't supply the "wrong" content type header?

you should always send the correct mine type and never allow the client to guess

gotcha. TIL. lemme add it to the list of stuff to read. thanks

„Content Sniffing“, nice… finally I have a word for detection by magic number. 🙂 It really has its limits. While some formats like JPEG & PNG have proper magic numbers, a lot don’t have that. For instance many photo RAW formats based on TIFF just have a TIFF magic number and tools need to look for specific byte values in specific places to guess if it’s a NEF, ARW, DNG or just a regular TIFF. But of course this is only applicable for binary formats. But it lets me wonder why JSON does not have a short identifier string. HTML could have a doctype header to identify, but this is also optional AFAIK. So yes, sending proper mime type seems to be obligatory.

it's even worse when you also have to do charset detection and some formats contain executable code (e.g. html, svg, and pdf all can contain js)

Yes, and all this content sniffing implementations may vary and conclude to different formats. While magic number detection is not too bad the other methods seem to be very flaky.

some json-based formats do require a specific prefix (such as JWT) but generally… since they're not executable the danger isn't so great

Reminds me a lot of Internet explorers quirks mode. So something that was meant to deal with bad HTML implementations, but actually widespread them, because devs did not notice their errors. I’m always in favor for strict modes and fail fast. With Kim I have the same problem. The established metadata readers ExifTool & Exiv2 compensate a lot of errors, so there are a lot of faulty metadata writer implementations that may caused by devs even not noticing their mistakes (because tested with ExifTool). If you write a metadata reader reading strict according the specs you see how bad it really is. 😄

"that is why you need to disable content sniffing across your whole domain" oooh. any links to that?

the mdn link above

So I’m not sure if Postel‘s law “Be conservative in what you send, be liberal in what you accept.” was the best idea overall.

Nice to see others noticed the problem, too 😄

or https://intarchboard.github.io/draft-protocol-maintenance/draft-iab-protocol-maintenance.html evolved further

We devs should really stop doing that, but I’m not sure if we can turn the boat around. To not fall behind existing metadata reader implementations I needed to add code to Kim to compensate faulty metadata like ExifTool does, because there are by now millions of faulty files people expect to be read. Some cameras even produce broken JPG.