Would this mean that your changes would only work on IE if locked domains are enabled and "secure" security tokens are turned on?
-Ryan From: Dan Dumont/Westford/IBM@Lotus To: [email protected], Date: 01/30/2012 06:29 PM Subject: makeRequest content-disposition header to prevent XSS I'm looking at the response from makeRequest and was reminded that we do: // Always set Content-Disposition header as XSS prevention mechanism. response.setHeader("Content-Disposition", "attachment;filename=p.txt" ); I'm wondering what people think about not doing this in a shindig config that uses locked domains and secure tokens? This detail is crucial to being able to support file upload through the makeRequest proxy in IE without the aid of a flash plugin.
