I am working through a report of an automated vulnerability scanner. One Item is
Web Server Misconfiguration: Insecure Content-Type Setting ( 11359 )
It's about not returning the character-set for a given HTML page like so, for example:
HTTP/1.1 200 OK
...
Content-Type: text/html; charset=utf-8
...
the reported response in question only gives
HTTP/1.1 200 OK
...
Content-Type: text/html
...
Now I understand the implications, but what about CSS and especially JavaScript?
Is the charset of CSS and JavaScript resources strictly defined by a standard?
What if I have internationalized strings in JavaScript variables? Will those by definition have to be escaped? Or would this case require the declaration of a charset?