server-side solutions
server-side solutions
Posted Jan 9, 2007 7:51 UTC (Tue) by ldo (guest, #40946)In reply to: server-side solutions by roelofs
Parent article: A Firefox PDF plugin XSS vulnerability
Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:
<SCRIPT>
function PleaseSaveToDisk()
{
alert("Please right-click and save the item to disk.")
return false
}
</SCRIPT>
<A HREF="link-to-whatever" ONCLICK="return PleaseSaveToDisk()">
Posted Jan 9, 2007 17:19 UTC (Tue)
by roelofs (guest, #2599)
[Link]
But the whole point (as I understand it) is that you don't control the link--the bad guy does (e.g., a phishing site or somebody else's cracked site). And his link certainly won't include that onclick/save-to-disk function.
(Of course, you were probably referring to historical attempts to prevent inline display, not something in response to this latest threat, which is a useful data point either way.)
Greg
Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:
server-side solutions