In several places in Shindig (RpcServlet, MakeRequestHandler, ConcatProxyServlet, ProxyHandler) Shindig sets this HTTP header in the response, which (depending on what kind of call it is) triggers the browser to attempt to download a file named "p.txt" instead of processing the content. In one or two of these places, there is a comment stating that this is being done to prevent XSS attacks. Could someone explain more about what kind of attacks this is designed to prevent?
The reason I ask is that it disables some interesting use cases, including one that came up recently -- we're using our (Jive's) implementation of locked domains to prevent different gadgets from interfering with each other (or with the parent page). However, a need has come up for a gadget to be able to render part of its UI from a remote server (inside an iframe inside the gadget), but still interact with the client side gadget Javascript -- which would normally be prevented by the locked domains. So, the gadget author tried to use gadgets.io.getProxyUrl() around the URL in the "src" attribute of the iframe, hoping that the inner iframe would now be from the same domain as the gadget iframe. But the Content-Disposition header causes the browser to offer a file download instead of displaying the inner iframe content. This particular use case would probably be better served ultimately by leveraging a type="url" view, but I'm still curious what kinds of XSS attacks this header was designed to prevent. Craig
