https://bugzilla.wikimedia.org/show_bug.cgi?id=58448
Web browser: ---
Bug ID: 58448
Summary: Drop "Content-disposition: attachment;" from the
response headers if the MIME type can be typically
rendered by the browser
Product: Wikimedia
Version: wmf-deployment
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: Bugzilla
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected],
[email protected]
Classification: Unclassified
Mobile Platform: ---
Original Bug title:
Drop "Content-disposition: attachment;" from the response headers if the MIME
type can be typically rendered by the browser, including text, png and jpg
files.
----
Reasoning:
This header forces the browser to open a download-dialog which is not really
handy for quickly looking at a screenshot. Downloading is still possible for
all who are fans of error-screenshots after removing that header.
----
Possible issue: Bugzilla is abused by spammers for placing their images here.
Possible solution: Only drop the header if user is logged-in.
Possible issue: Injection of malicious content.
Possible solution: Only allow "safe types" (i.e. not .js or only png and jpg
images)
----
----
Current response headers for attachments:
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2013 13:56:58 GMT
Server: Apache
X-xss-protection: 1; mode=block
Content-disposition: attachment;
filename="commons_revision_missing_not_in_user_language.png"
X-content-type-options: nosniff
Content-length: 287653
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: image/png; name="commons_revision ..."
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
