[
https://issues.apache.org/jira/browse/OFBIZ-6702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14978660#comment-14978660 ]
Jacques Le Roux commented on OFBIZ-6702:
----------------------------------------
HI Gareth, I'm not sure replacing Content-Disposition/attachment by Content-Disposition/inline is a good idea for security reason.
This is old but interesting
http://forums.mozillazine.org/viewtopic.php?f=7&t=202891https://stackoverflow.com/questions/1012437/uses-of-content-disposition-in-an-http-response-header gives some information.
Note that even attachment is not completly safe
http://i8jesus.com/2009/07/26/content-disposition-is-not-a-security-mechanism/ though in recent browsers I believe it's better (if they follow RFC 6266)
You can find more Googling for "Content-Disposition security"
> Update SimpleContentViewHandler to return mime type on file extension and use inline for content-disposition
> ------------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-6702
> URL:
https://issues.apache.org/jira/browse/OFBIZ-6702> Project: OFBiz
> Issue Type: Improvement
> Components: content
> Affects Versions: Trunk
> Reporter: Gareth Carter
> Priority: Trivial
> Attachments: SimpleContentViewHandler.java.patch, UtilHttp.java.patch
>
>
> SimpleContentViewHandler will return mime type 'text/html' for all DataResource values without a specified mimeTypeId. Changing to DataResourceWorker.getMimeType will allow determining the mimeTypeId by file extension
> Fixing the mime type will allow the browsers to display content inline if UtilHttp is updated aswell. All unknown extensions will be set to octet-stream causing the browser to prompt for download
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
