User: Password:
|
|
Subscribe / Log in / New account

server-side solutions

server-side solutions

Posted Jan 9, 2007 7:51 UTC (Tue) by ldo (guest, #40946)
In reply to: server-side solutions by roelofs
Parent article: A Firefox PDF plugin XSS vulnerability

Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:

<SCRIPT>
function PleaseSaveToDisk()
{
alert("Please right-click and save the item to disk.")
return false
}
</SCRIPT>
<A HREF="link-to-whatever" ONCLICK="return PleaseSaveToDisk()">


(Log in to post comments)

server-side solutions

Posted Jan 9, 2007 17:19 UTC (Tue) by roelofs (guest, #2599) [Link]

Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:

But the whole point (as I understand it) is that you don't control the link--the bad guy does (e.g., a phishing site or somebody else's cracked site). And his link certainly won't include that onclick/save-to-disk function.

(Of course, you were probably referring to historical attempts to prevent inline display, not something in response to this latest threat, which is a useful data point either way.)

Greg


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds