[ 
https://issues.apache.org/jira/browse/OFBIZ-6702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14980663#comment-14980663
 ] 

Jacques Le Roux commented on OFBIZ-6702:
----------------------------------------

I noticed this Note there:
{quote}
Note: A particular configuration of the server hosting a PDF document could 
force the download of the file (disabling the preview).
{quote}
It seems this is related to a wrong mime type.

I tried to understand if inline was less secure than attachment. It seems that 
the most important part are the filename and it's mime type, see 
http://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/ for 
instance to see how HTTPD is more secure than the  Microsoft IIS web server. 
But I could not find a clear difference between the 2 options.

I propose we still use attachment by default but provide a general property 
"content-disposition=attachment" which can be turned to "inline" when people 
want to. Something like
{code}
#-- attachment might be replaced by inline if you prefer to offer this option 
to your users. 
#   attachment is supposed to be more secure, but this is a bit unclear see 
OFBIZ-6702 for details 
content-disposition=attachment
{code}

Opinions?

> Update SimpleContentViewHandler to return mime type on file extension and use 
> inline for content-disposition
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-6702
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6702
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: content
>    Affects Versions: Trunk
>            Reporter: Gareth Carter
>            Priority: Trivial
>         Attachments: SimpleContentViewHandler.java.patch, UtilHttp.java.patch
>
>
> SimpleContentViewHandler will return mime type 'text/html' for all 
> DataResource values without a specified mimeTypeId. Changing to 
> DataResourceWorker.getMimeType will allow determining the mimeTypeId by file 
> extension 
> Fixing the mime type will allow the browsers to display content inline if 
> UtilHttp is updated aswell. All unknown extensions will be set to 
> octet-stream causing the browser to prompt for download



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to