From 03773a11e96bc088a362bb7026294961c0275017 Mon Sep 17 00:00:00 2001 From: Jacob Foshee Date: Tue, 19 May 2026 11:07:26 -0500 Subject: [PATCH] Set "Content-Type" header rather than Add in order to replace any header that was previously set on the response. Multiple Content-Type headers are not supported by HTTP and can lead to unpredictable handling in the browser. In this particular case it can cause the html form to be rendered as plain text. --- authorize_write.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authorize_write.go b/authorize_write.go index f254a8358..d3e6f55ff 100644 --- a/authorize_write.go +++ b/authorize_write.go @@ -23,7 +23,7 @@ func (f *Fosite) WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWri switch rm := ar.GetResponseMode(); rm { case ResponseModeFormPost: //form_post - rw.Header().Add("Content-Type", "text/html;charset=UTF-8") + rw.Header().Set("Content-Type", "text/html;charset=UTF-8") WriteAuthorizeFormPostResponse(redir.String(), resp.GetParameters(), GetPostFormHTMLTemplate(ctx, f), rw) return case ResponseModeQuery, ResponseModeDefault: