| |||||||||||||
server-side solutionsserver-side solutionsPosted Jan 8, 2007 23:43 UTC (Mon) by roelofs (guest, #2599)Parent article: A Firefox PDF plugin XSS vulnerability Other server-side solutions are being discussed as there is a concern that users are unlikely to upgrade their browser plugins. Another one I saw (beyond the linked token_query suggestion) is to have the server mark PDFs as attachments, which forces them to be downloaded. It's not as convenient for users, but it completely bypasses the broken plugin. Greg
(Log in to post comments)
server-side solutions Posted Jan 9, 2007 7:51 UTC (Tue) by ldo (subscriber, #40946) [Link] Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this: <SCRIPT>
server-side solutions Posted Jan 9, 2007 17:19 UTC (Tue) by roelofs (guest, #2599) [Link] Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:But the whole point (as I understand it) is that you don't control the link--the bad guy does (e.g., a phishing site or somebody else's cracked site). And his link certainly won't include that onclick/save-to-disk function. (Of course, you were probably referring to historical attempts to prevent inline display, not something in response to this latest threat, which is a useful data point either way.) Greg
|
|||||||||||||