Well... If the shindig server is locked down and properly secured, what vulnerability is the Content-Disposition protecting against? And if the shindig server is not locked down and secured, does the server owner really care about security?
Can we just remove this protection altogether and just rely on the security of locked domains and secure tokens? From: Ryan J Baxter/Westford/IBM@Lotus To: [email protected], Date: 01/31/2012 08:44 AM Subject: Re: makeRequest content-disposition header to prevent XSS Would this mean that your changes would only work on IE if locked domains are enabled and "secure" security tokens are turned on? -Ryan From: Dan Dumont/Westford/IBM@Lotus To: [email protected], Date: 01/30/2012 06:29 PM Subject: makeRequest content-disposition header to prevent XSS I'm looking at the response from makeRequest and was reminded that we do: // Always set Content-Disposition header as XSS prevention mechanism. response.setHeader("Content-Disposition", "attachment;filename=p.txt" ); I'm wondering what people think about not doing this in a shindig config that uses locked domains and secure tokens? This detail is crucial to being able to support file upload through the makeRequest proxy in IE without the aid of a flash plugin.
