Posted Jan 9, 2007 17:19 UTC (Tue) by roelofs
In reply to: server-side solutions
Parent article: A Firefox PDF plugin XSS vulnerability
Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:
But the whole point (as I understand it) is that you don't control the link--the bad guy does (e.g., a phishing site or somebody else's cracked site). And his link certainly won't include that onclick/save-to-disk function.
(Of course, you were probably referring to historical attempts to prevent inline display, not something in response to this latest threat, which is a useful data point either way.)
to post comments)