shindig-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan J Baxter" <rjbax...@us.ibm.com>
Subject Re: makeRequest content-disposition header to prevent XSS
Date Tue, 31 Jan 2012 13:40:46 GMT
Would this mean that your changes would only work on IE if locked domains 
are enabled and "secure" security tokens are turned on?


-Ryan




From:   Dan Dumont/Westford/IBM@Lotus
To:     dev@shindig.apache.org, 
Date:   01/30/2012 06:29 PM
Subject:        makeRequest content-disposition header to prevent XSS



I'm looking at the response from makeRequest and was reminded that we do:
    // Always set Content-Disposition header as XSS prevention mechanism.
    response.setHeader("Content-Disposition", "attachment;filename=p.txt"
);

I'm wondering what people think about not doing this in a shindig config 
that uses locked domains and secure tokens?
This detail is crucial to being able to support file upload through the 
makeRequest proxy in IE without the aid of a flash plugin.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message