shindig-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Dumont" <ddum...@us.ibm.com>
Subject makeRequest content-disposition header to prevent XSS
Date Mon, 30 Jan 2012 23:28:35 GMT
I'm looking at the response from makeRequest and was reminded that we do:
    // Always set Content-Disposition header as XSS prevention mechanism.
    response.setHeader("Content-Disposition", "attachment;filename=p.txt"
);

I'm wondering what people think about not doing this in a shindig config 
that uses locked domains and secure tokens?
This detail is crucial to being able to support file upload through the 
makeRequest proxy in IE without the aid of a flash plugin.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message