Add charset to Content-Type header

[wesleybl]

Is your feature request related to a problem? Please describe.

A security scanner reported the vulnerability Web Server Misconfiguration: Insecure Content-Type Setting because plone.restapi responses do not include the charset specification in the Content-Type header. Currently, responses return content-type:application/json without charset, which can lead to potential Cross-Site Scripting vulnerabilities due to incorrect interpretation of the character encoding.

Describe the solution you'd like

I would like plone.restapi to automatically include the charset specification in all JSON responses. The Content-Type header should be:

content-type: application/json; charset=utf-8

[Piyushrathoree]

can i work on this issue ?

[wesleybl]

@Piyushrathoree Before contributing, take a look at: https://6.docs.plone.org/contributing/index.html

[davisagli]

@wesleybl UTF-8 is the only charset supported for application/json (see https://stackoverflow.com/a/73074619), so that sounds kind of redundant and non-standard.

If you can point me to more information about how leaving out the charset can lead to cross-site scripting, I will consider it. But please communicate that privately to the Plone security team since it would be a potential security issue.

[wesleybl]

@davisagli You're right. Looking at the documentation, the only possible value for application/json is utf-8. So there's no security risk here. This was a false positive from the scanner. But wouldn't it be better to be explicit? This would also prevent some crazy browser from trying to guess the charset. I see that many applications return the charset for json. Take Google, for example.

[wesleybl]

And it would also avoid these false positives from scanners.

[davisagli]

@wesleybl Maybe, but there can also be some friction from changing it...i.e. tests for the response Content-Type which start to fail, even though there's no real problem. I'm okay with adding the charset but I wouldn't say it's a priority for me.