If a branch contains an HTML file, codebrowse can display it by clicking the "download" link. For example:
http://codebrowse.launchpad.net/~vcs-imports/viewvc/trunk/download/vcs-imports%40canonical.com-20070410161038-e2cb3080291d69cd/license.html-20070414165915-x3418xbm42yqb98z-1/LICENSE.html
If the HTML page contains javascript (or loads javascript from offsite with <script src="...">), then it will be executed from the http://codebrowse.launchpad.net principal.
Since we are only serving codebrowse via http and not https, it doesn't expose Launchpad session cookies. However, if we want to serve codebrowse over https and do authentication (e.g. to support browsing of private branches), we will need to remove or neutralise this feature.
Possible ways to neutralise the problem:
* serve all content with an innocuous mime type (e.g. application/octet-stream).
* send a header like "Content-Disposition: attachment" to tell the browser to show a "save as" dialog rather than displaying the page (would need testing).
The fix (to use Content-