GitHub's "view raw" feature displays an HTML file's source code, but I don't understand, why does this not render in the browser? From what I can tell, this should look just like any other webpage -- it starts off with <!DOCTYPE html>, is valid HTML, and viewing view-source:https://raw.githubusercontent.com/me/myrepo/main/myfile.html shows the exact same thing, so there can't be any kind of wrapper that tells the browser to not render it.

What is special about raw.githubusercontent.com that allows content to not render?

CodePudding user response：

GitHub's web server response returns a Content-Type header of text/plain.

The web browser doesn't render based on the .html file extension. It's based on the Content-Type.

To see the headers, try this:

curl -D- -o/dev/null -s YOUR_URL_HERE

CodePudding user response：

GitHub returns a Content-Type of text/plain, which is a plain text file. Browsers are not supposed to render a file as HTML unless it has a Content-Type of text/html (HTML serialization) or application/xhtml xml (XHTML serialization). Sniffing content is explicitly not supposed to happen because that leads to security vulnerabilities. MSIE did this anyway, and it did in fact lead to security problems.

GitHub does this specifically because hosting arbitrary HTML pages poses security risks due to the possibility of JavaScript and CSS, so most text content through the raw endpoints is served as text/plain. In general, outside of highly controlled contexts such as GitHub Pages, GitHub specifically does not allow unsanitized user content to be rendered in the browser for security reasons.