LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

server-side solutions

server-side solutions

Posted Jan 9, 2007 7:51 UTC (Tue) by ldo (subscriber, #40946)
In reply to: server-side solutions by roelofs
Parent article: A Firefox PDF plugin XSS vulnerability

Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:

<SCRIPT>
function PleaseSaveToDisk()
{
alert("Please right-click and save the item to disk.")
return false
}
</SCRIPT>
<A HREF="link-to-whatever" ONCLICK="return PleaseSaveToDisk()">

(Log in to post comments)

server-side solutions

Posted Jan 9, 2007 17:19 UTC (Tue) by roelofs (guest, #2599) [Link]

Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:

But the whole point (as I understand it) is that you don't control the link--the bad guy does (e.g., a phishing site or somebody else's cracked site). And his link certainly won't include that onclick/save-to-disk function.

(Of course, you were probably referring to historical attempts to prevent inline display, not something in response to this latest threat, which is a useful data point either way.)

Greg

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds