I'm looking at the response from makeRequest and was reminded that we do:
// Always set Content-Disposition header as XSS prevention mechanism.
response.setHeader("Content-Disposition", "attachment;filename=p.txt"
);I'm wondering what people think about not doing this in a shindig config that uses locked domains and secure tokens? This detail is crucial to being able to support file upload through the makeRequest proxy in IE without the aid of a flash plugin.
