Serve it with content-type set to text/plain and browsers won't try to render it. You can try a random html file on github. If you click raw it'll get rendered as text.

This assumption has unfortunately led to countless security issues, at least in the past. The nosniff header (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), was created because of this and should be added.

While this probably works, you should also add a restrictive CSP (using the sandbox directive).

Forcing the download (via Content-Disposition header) would likely be even better, but it is annoying for users.

Replying to this comment because though it's vague in specifics it reads as authoritative and knowledgeable. In reality, it confuses/conflates multiple things.

Serving HTML source as text/plain is safe. No browser capable of understanding CSP is going to be at risk of anything that CSP would actually protect against in this case.

> If storage.googleapis.com weren't operated by Google, the domain would be blocked by Google's "Safe Browsing" long time ago.

Not true. You just need to make it an eTLD by adding it to the public suffix list. Only subdomains of domains on the PSL can be marked by Google’s Safe Browsing.