allow plain text with charset (#9935)

Author: vicb

.changeset/plain-baths-leave.md

@@ -0,0 +1,5 @@
+---
+"@cloudflare/workers-shared": patch
+---
+
+allow plain text with charset

packages/workers-shared/router-worker/src/worker.ts

@@ -136,12 +136,18 @@ export default {
 
 					if (shouldBlockNonImageResponse) {
 						const resp = await env.USER_WORKER.fetch(maybeSecondRequest);
-						const isImage = resp.headers
-							.get("content-type")
-							?.startsWith("image/");
-						const isPlainText =
-							resp.headers.get("content-type") === "text/plain";
-						if (!isImage && !isPlainText && resp.status !== 304) {
+
+						const contentType = resp.headers.get("content-type") || "";
+
+						// Allow:
+						// - images
+						// - text/plain - used by Next errors
+						const isImageOrPlainText =
+							contentType.startsWith("image/") ||
+							// Matches "text/plain", "text/plain;charset=UTF-8"
+							contentType.split(";")[0] === "text/plain";
+
+						if (!isImageOrPlainText && resp.status !== 304) {
 							analytics.setData({ abuseMitigationBlocked: true });
 							return new Response("Blocked", { status: 403 });
 						}

packages/workers-shared/router-worker/tests/index.test.ts

@@ -313,6 +313,18 @@ describe("unit tests", async () => {
 					expectedStatus: 200,
 					expectedBody: "fake image data",
 				},
+				{
+					description:
+						"allows /_next/image requests with remote URLs that have content type text/plain with charset",
+					url: `https://example.com${subpath}_next/image?url=https://example.com/image.jpg`,
+					userWorkerResponse: {
+						body: "fake image data",
+						headers: { "content-type": "text/plain;charset=UTF-8" },
+						status: 200,
+					},
+					expectedStatus: 200,
+					expectedBody: "fake image data",
+				},
 				{
 					description:
 						"allows /_next/image with remote URL and image header regardless of response content",