[jira] [Commented] (OFBIZ-6702) Update SimpleContentViewHandler to return mime type on file extension and use inline for content-disposition

    [ https://issues.apache.org/jira/browse/OFBIZ-6702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14980663#comment-14980663 ]

Jacques Le Roux commented on OFBIZ-6702:
----------------------------------------

I noticed this Note there:
{quote}
Note: A particular configuration of the server hosting a PDF document could force the download of the file (disabling the preview).
{quote}
It seems this is related to a wrong mime type.

I tried to understand if inline was less secure than attachment. It seems that the most important part are the filename and it's mime type, see http://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/ for instance to see how HTTPD is more secure than the  Microsoft IIS web server. But I could not find a clear difference between the 2 options.

I propose we still use attachment by default but provide a general property "content-disposition=attachment" which can be turned to "inline" when people want to. Something like
{code}
#-- attachment might be replaced by inline if you prefer to offer this option to your users.
#   attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details
content-disposition=attachment
{code}

Opinions?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)