I like this idea. The hard part is -- when HTML-serving mode is not enabled, what mime types do we restrict? Krzysztof - is there a safe and future-proof list of mimetypes that we can blacklist?