server-side solutions

Posted Jan 9, 2007 17:19 UTC (Tue) by roelofs (guest, #2599)
In reply to: server-side solutions by ldo
Parent article: A Firefox PDF plugin XSS vulnerability

Web browsers don't seem to pay any attention to a "Content-disposition: attachment" header line. The only reliable way we found to stop downloads from displaying in the browser was to add an ONCLICK attribute to the link, something like this:

But the whole point (as I understand it) is that you don't control the link--the bad guy does (e.g., a phishing site or somebody else's cracked site). And his link certainly won't include that onclick/save-to-disk function.

(Of course, you were probably referring to historical attempts to prevent inline display, not something in response to this latest threat, which is a useful data point either way.)

Greg