20070103

A better solution to the UXSS problem

Link

There's a far more elegant server-side solution to the UXSS PDF problem on RSnake's site. mbrisby says to just add a Content-disposition header to force the document to an attachment. Content-disposition is a MIME directive that can include lots of information about how the user agent is supposed to deal with the content. In HTTP, you can direct the browser to do a Save As dialog, rather than displaying the content inline.

In Apache, this can be done quite easily. In your main config file for apache, outside of any Directory or VHost directives, add something like the following:

<FilesMatch "\.pdf$">
Header append Content-disposition 'Attachment'
</FilesMatch>

I've tried to find similar functionality in IIS but haven't found anything yet. Not sure about other server configurations.

Kudos to mbrisby for giving a far simpler solution.

0 comments: