Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does Content-Disposition have useful meaning? #1

Closed
mikewest opened this issue Feb 16, 2021 · 4 comments
Closed

Does Content-Disposition have useful meaning? #1

mikewest opened this issue Feb 16, 2021 · 4 comments

Comments

@mikewest
Copy link
Member

My understanding is that Content-Disposition will force a download for resources which are navigated to (either top-level or in frames), which might have some use? It doesn't seem to have effect on resources loaded as subresources in modern browsers... I see it all over Google, Facebook, Twitter, etc. endpoints (for example https://www.google.com/complete/search?q=public-webappsec), and it's not clear to me what it's meant to mitigate.

/cc @arturjanc who asked about this.
mikewest added a commit that referenced this issue Feb 16, 2021
@mikewest
Issue #1.
dacd09f
@shhnjk
Copy link
Member

shhnjk commented Feb 16, 2021

From what I know, Content-Disposition was used to tell browsers that the content is not for rendering. I think it was useful for telling browsers to not load plugin with that resource (or something similar, but I forgot :( ).

The second thing was RFD. To prevent RFD, you'd had to have Content-Disposition with filename specified so that it won't be downloaded as a different file type from trusted source.

But both of those things might be mitigated by default by some browsers today.

@mikewest
Copy link
Member Author

But both of those things might be mitigated by default by some browsers today.

This is mostly what I'm interested in. I was hoping @arturjanc would have exciting details about attacks this mitigates in modern browsers, but he asked me about it, so. Idunno. :) Feels like something that might just be cargo-culted from the past.

@arturjanc
Copy link

I asked some folks about this and will report back if I learn anything useful. My guess is that one of the main reasons for this was to prevent attacks like Rosetta Flash because Adobe Flash was fixed to ignore SWFs with Content-Disposition: attachment.

@mikewest
Copy link
Member Author

Based on that internal thread, I'm fairly convinced that Content-Disposition is useful in the presence of Flash, but its effect on navigation can be more clearly obtained via Content-Security-Policy: sandbox, which both prevents script execution and shifts the resource into an opaque origin. Given that Flash is no longer a boundary we need to be concerned with (as users who have intentionally installed a pre-killswitch version will remain vulnerable in perpetuity), I'll drop the recommendation from this doc and add a note about CSP as a belt-and-suspenders approach.

@NeilMadden NeilMadden mentioned this issue May 25, 2021
Closed
@tghosth tghosth mentioned this issue Dec 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikewest @arturjanc @shhnjk