1

I am working through a report of an automated vulnerability scanner. One Item is

Web Server Misconfiguration: Insecure Content-Type Setting ( 11359 )

It's about not returning the character-set for a given HTML page like so, for example: 

HTTP/1.1 200 OK
...
Content-Type: text/html; charset=utf-8
...

the reported response in question only gives

HTTP/1.1 200 OK
...
Content-Type: text/html
...

Now I understand the implications, but what about CSS and especially JavaScript?

Is the charset of CSS and JavaScript resources strictly defined by a standard?

What if I have internationalized strings in JavaScript variables? Will those by definition have to be escaped? Or would this case require the declaration of a charset?

Marcel
  • 3,494
  • 1
  • 18
  • 35

1 Answers1

2

Is the charset of CSS and JavaScript resources strictly defined by a standard?

No. It is similarly flexible as with HTML, i.e. can be defined in the style itself, by the embedding HTML or in the HTTP header or even with a byte order mark. If not explicitly defined it might also have a default or might depend on the charset encoding of the embedding document:

@charset "UTF-8";
<link rel="stylesheet" type="text/css" charset="utf-8" ...>
Content-Type: text/css; charset=utf-8

And the same is true for JavaScript. Thus, you better always specify the charset encoding.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I have found that the charset on the link element is obsolete. See: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/link – Marcel Mar 18 '20 at 14:12
  • 1
    @Marcel: It might be considered obsolete but it still works, just tested with Firefox and Chrome. There is lots of obsolete stuff in the standards which still can be (ab)used. – Steffen Ullrich Mar 18 '20 at 15:53