[ https://issues.apache.org/jira/browse/OFBIZ-6702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14980663#comment-14980663 ]
Jacques Le Roux commented on OFBIZ-6702: ---------------------------------------- I noticed this Note there: {quote} Note: A particular configuration of the server hosting a PDF document could force the download of the file (disabling the preview). {quote} It seems this is related to a wrong mime type. I tried to understand if inline was less secure than attachment. It seems that the most important part are the filename and it's mime type, see http://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/ for instance to see how HTTPD is more secure than the Microsoft IIS web server. But I could not find a clear difference between the 2 options. I propose we still use attachment by default but provide a general property "content-disposition=attachment" which can be turned to "inline" when people want to. Something like {code} #-- attachment might be replaced by inline if you prefer to offer this option to your users. # attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details content-disposition=attachment {code} Opinions? > Update SimpleContentViewHandler to return mime type on file extension and use > inline for content-disposition > ------------------------------------------------------------------------------------------------------------ > > Key: OFBIZ-6702 > URL: https://issues.apache.org/jira/browse/OFBIZ-6702 > Project: OFBiz > Issue Type: Improvement > Components: content > Affects Versions: Trunk > Reporter: Gareth Carter > Priority: Trivial > Attachments: SimpleContentViewHandler.java.patch, UtilHttp.java.patch > > > SimpleContentViewHandler will return mime type 'text/html' for all > DataResource values without a specified mimeTypeId. Changing to > DataResourceWorker.getMimeType will allow determining the mimeTypeId by file > extension > Fixing the mime type will allow the browsers to display content inline if > UtilHttp is updated aswell. All unknown extensions will be set to > octet-stream causing the browser to prompt for download -- This message was sent by Atlassian JIRA (v6.3.4#6332)