[ https://issues.apache.org/jira/browse/OFBIZ-6702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14982218#comment-14982218 ]
Gareth Carter commented on OFBIZ-6702: -------------------------------------- Seems like firefox will honour Content-Disposition: attachment, I am sure others will. If IE (or any other browser) does mime type sniffing then potentially setting Content-Disposition to inline may mean javascript could execute if the determined mime type is text/html. Ofbiz itself could sniff the mime type when files are uploaded. Even validated against the mime type determined by the file extension. The solution you propose is a good fit, it atleast keeps the same behaviour with the option to change. Might I suggest content.properties instead of general.properties > Update SimpleContentViewHandler to return mime type on file extension and use > inline for content-disposition > ------------------------------------------------------------------------------------------------------------ > > Key: OFBIZ-6702 > URL: https://issues.apache.org/jira/browse/OFBIZ-6702 > Project: OFBiz > Issue Type: Improvement > Components: content > Affects Versions: Trunk > Reporter: Gareth Carter > Priority: Trivial > Attachments: SimpleContentViewHandler.java.patch, UtilHttp.java.patch > > > SimpleContentViewHandler will return mime type 'text/html' for all > DataResource values without a specified mimeTypeId. Changing to > DataResourceWorker.getMimeType will allow determining the mimeTypeId by file > extension > Fixing the mime type will allow the browsers to display content inline if > UtilHttp is updated aswell. All unknown extensions will be set to > octet-stream causing the browser to prompt for download -- This message was sent by Atlassian JIRA (v6.3.4#6332)