I'm looking at the defaults of Helmet.js and encountered with X-Download-Options
Currently, I've found these:
It's only for IE8
In IE8 if you don't give noopen to this header, any downloaded HTML file's js will run in the current site's context
Another question about X-Download-Options says it removes the open button and alters it with a save button
Is below a possible attack that must be prevented with X-Download-Options
Site foo.com allow one user to store file and another user to download the file
Bad guy: Stores an HTML file which sends him user's cookies localStorage etc via js
User: Downloads this file, it immediately opens and runs the js, everything is gone
Related
I know many people asks the opposite of what I am asking. I am trying to make browsers play the file instead of downloading when opening the mp3 files´ link. I do not care if the users download the file after that, but I need the browsers to play the file at first, instead of automatically downloading. It happens in computers and smarthphones.
, b
I don´t know if it is something I have to change in .htaccess file or somewhere else. The link to the site is this: https://cefadchurch.com/sermones/predicas-dominicales/
Try the download button. If you see, it directly sends you to the file´s link, but it starts downloading instead playing. I know a "Download" button function is obviously to make the browser download the file, but that will not be the case for me, because however, if the button sends me to the file´s link, I rather the browser play instead download, and the company has asked me for that function.
In your response headers, you're actively forcing the download in two ways:
Content-Disposition: attachment
Content-Type: application/octet-stream
Firstly, the Content-Disposition header value of attachment forces a download to occur. You must get rid of it if you want to not have a forced download.
Next, the content type of application/octet-stream is the generic binary type, and thus the browser doesn't know how to render it so just downloads it as a file to let the system handle it. If you're sending MP3s, use audio/mpeg for the Content-Type response header.
Finally, not all browsers can/will play media in a tab when you link to the media directly. If you want the file to play in-browser, you need to embed it into a web page with the <audio> tag.
I have some Word files which need to have hyperlinks. The hyperlinks go to an htm file with an anchor, but that htm file isn't provided via a direct url for security reasons. Rather it is linking to a ashx handler file that retrieves the file and does an response.write to show the html file in the browser. Before it does this, though, it checks to back sure that there's a valid session, and if there isn't then it just redirects to the login page. This works fine when linking from within the ASP.Net site, but when I link to it from a local MSWord file, it apparently doesn't know there's a valid session (even though I've logged in in the browser), and redirects to the login page. Is there any way around this? For compatibility these Word documents need to be in Word 97-2003 format unfortunately...
No. This won't work.
Opening the word file outside of a browser and clicking on the link is going to start a brand new session; regardless of whether you currently have a browser window opened on the site.
Because a new session is starting, the web server will assume you aren't logged in at all. Which, technically, you aren't.
in order to find the server spec. i've created a file in the root dir in my website called spec.htm and entered this content as i was offered by another user:
<html>
<head>
<title></title>
</head>
<body>
#ServerInfo.GetHtml()
</body>
</html>
but i only get a copy of the code in my browser and it doesn't run it,
what the problem might be?
EDIT: i think that the problem is that i'm not using IIS.
is there a way to do so without using IIS?
thanks
Please see the following article
http://www.asp.net/webmatrix/tutorials/14-introduction-to-debugging
The ServerInfo helper is a diagnostic tool that gives you an overview of information about the web server environment that hosts your page. It also shows you HTTP request information that is sent when a browser requests the page. The ServerInfo helper displays the current user identity, the type of browser that made the request, and so on. This kind of information can help you troubleshoot common issues.
Create a new web page named ServerInfo.cshtml.
At the end of the page, just before the closing tag, add the following highlighted code.
#ServerInfo.GetHtml()
Note, it appears as though this is designed to run in IIS only and not on Linux / Apache servers.
Note, this is a RAZOR syntax so your system needs to be able to run Razor by installing the WebMatrix
#ServerInfo.GetHtml() is a Razor view engine syntax. Try saving your file as .cshtml or .vbhtml
The problem is that your webserver is not set up to serve HTML files through the ASP.NET interpreter. Change the extension to .aspx (i.e., use the same code, but call it spec.aspx).
Are you setting the Content-Type header correctly. If not set to text/html or similar, the browser or framework may set the content-type to text/plain which will not render the html at all.
You can check this in Firebug in the Net tab, expanding the response that is associated with the page you are serving, and looking in the Headers tab. If the Content-Type header is anything besides text/html or text/xhtml, then you need to find a way to make your web server set that header properly
let me guess its just showing up "#ServerInfo.GetHtml()" on a webpage. This does nothing if you put it simply in a body tag of a html page. If you are running IIS make sure you are saving as .aspx and not .html
See "yourhtmlsource.com/myfirstsite/myfirstpage.html"
I hope I am understanding the question and this helps. I found it on the web page given above.
When you double-click a file on your computer’s desktop, the computer knows what program to open the file in by checking the file’s “extension”. A txt file will open in a text editor.
You need to give your document a file extension of ”.html”, which will tell it to open the file in your web browser, such as Internet Explorer, Firefox or Safari.
Right now you should be editing your HTML page in a text editor, which normally saves files with the extension “.txt”. We want to make it save in “.html”. In your text editor click File → Save As…. If you use Microsoft Windows, there will be a box labelled “save as type”; change it to “all files .”. This means that you can save the data (in this case, some text) into any format. Now type in the name index.html for your file and click save. Ex: file.txt becomes file.html.
I am building a web app that lets the user directly download files on a cdn by clicking a link. The link should point to the cdn url directly in order to minimize the load on our servers.
We would like the to have the browser pop up the save as dialog box when the user clicks the link to download the file and not have the browser display the content of the file at all. So the page should not reload. However, we don't have access to setting the HTTP headers sent back from cdn. Is it possible to still pop up the save as dialog box for download using client-side code?
Is it possible to still pop up the save as dialog box for download using client-side code?
No. Unless the file type is something the browser does not understand (or the HTTP header Content-Disposition is "attachment"), the "Save As" dialog will not appear.
This behavior cannot be changed by JavaScript.
The behavior is controlled by the Content-Disposition header, unless the browser simply doesn't understand how to display content of the type returned. Without the ability to change the Content-Disposition header to attachment, you can't force the browser to download the file instead of render it. This must be done server-side.
I'm using Silverlight and I need to allow the user to save some dynamically genereated files.
For PDF files I created an http handler and it works just fine when I open it in a popup window.
For Excel files I tried every combination of Content-type and Content-disposition but IE8 refuses to open the file. With Fiddler I can see the get and there's a very short display of an IE window but it closes straight away.
I can't see any error message anywhere and I can't find any other description of the issue. IE7 exhibits the same behaviour.
I tried Content-type = application/vnd.ms-excel, application/unknown, application/octet-stream
and for for Content-disposition I tried inline and attachment.
PS: I can't use the SL built-in save dialog because it requires the context to be within a user action and I generate the file asychronously on the server.
Sounds like automatic prompting for downloads is disabled. See this description on how to enable automatic prompting. Enabling automatic prompting worked for me (situation: silverlight app uses Window.Navigate to open a popup to a generic handler that generates an excel file, with content-disposition: attachment, which worked fine in FF, but not in IE8).
As this post is already pretty old, I'm curious if you found a better way to solve this!
You should be using Content-Disposition: attachment
Have you tried on another client? My guess is maybe that Office is trying to get kicked off and is failing.
Alternatively, it's possibly related to http://blogs.msdn.com/ieinternals/archive/2009/10/02/Internet-Explorer-cannot-download-over-HTTPS-when-no-cache.aspx