d90efa15e4
When requesting files like `/hackattempt.js`, the pages controller was responding with 404 status code. However, since the request was considered a JavaScript request (because of the `.js` extension), the response was also considered to be a JavaScript one, and since the request wasn't an AJAX request, our protection from forgery was preventing a potential security issue by raising an InvalidCrossOriginRequest exception. By setting HTML as content type, we correctly respond with a 404 status code. More info: https://die-antwort.eu/techblog/2018-08-avoid-invalid-cross-origin-request-with-catch-all-route/