Problem/Motivation
SASS preprocessor is widely used for Drupal theming. That means many Drupal projects keep their styles in scss files. As these files are used only for compiling CSS files there is no need to keep them publicly accessible. Furthermore themers can use silent comments // to keep sensible information in the scss files so that it may be considered as a security issue.
Steps to reproduce
Create some scss file in your theme directory and visit the following URL.
https://example.com/themes/THEME_NAME/scss/SOME_FILE.scss
Proposed resolution
Add scss extension to the list of protected extensions in .htaccess file.
Remaining tasks
Discuss. Create a patch.
User interface changes
No
API changes
No