hi Bertrand, thanks for your mail. On Aug 8, 2014, at 7:43 AM, Bertrand Delacretaz <[email protected]> wrote:
> Hi, > > About SLING-3829, what's the suggested usage scenario? this is the story. Allowing users to upload some files on a sensitive domain is dangerous. One possible example is users uploading some crafted SWF file. Now there are different way to defend to this. One option is using sandbox (or sub) domain (but this is more an operational defense). What we can do at application level is to have a filter that works only on some configured paths (namely the one that general users are able to upload con ten, e.g. /content/forum/comments) and force a download of the file (hence Content-Disposition) for some Content-Type (e.g. application/x-shockwave-flash) I hope this sheds some light regards antonio > > Is that about configuring some request paths, with wildcards, so that > Content-Disposition:something is added to all responses? > > It might be good to trigger this based on either request or resource > path, extension, resource type...I'm not sure, so would appreciate > more details on the intentions. > > -Bertrand
