There are a couple of steps required to force a browser to save/download content instead of displaying it in the browser window.
X-Download-Options: noopen
X-Content-Type-Options:nosniff
Content-Disposition: attachment; filename=example.txt
Content-Type: text/plain
NOTE: MSIE also supports a poorly documented proprietary META tag…
<meta name="DownloadOptions" content="noopen|nosave" />
REFERENCES:
To prevent XSS/CSRF exploits in MSIE8 and newer, it’s often best to close as many attack vectors as possible. An easy one to implement is an HTTP Header to prevent MSIE from “sniffing” the content to change it when incorrect.
Example: we would not want an HTML page intentionally served with ‘text/plain’ to be rendered as HTML.
X-Content-Type-Options: nosniff
Content-Type: text/plain
This could be added programatically to pages in your application, via a servlet or servlet filter or added to the httpd.conf file.
Apache2 example: httpd.conf
<IfModule headers_module>
Header set X-Content-Type-Options nosniff
</IfModule>
REFERENCES:
Occasionally I’ve stumbled upon legacy javascript code that is used to determine javascript support by the visiting users. This often proves comical, because they are many times wasting time making checks for some “VERY OLD” browsers indeed! Here’s a rundown of the versions of javascript as well as their release dates and some common browser versions that implemented them.
The language attribute has long been deprecated and should generally be avoided, it’s original purpose was to support other scripting languages, notably VBScript, or particular JavaScript versions. Modern conventions rely on specifying the MIME type instead via the ‘type’ attribute.
<SCRIPT LANGUAGE="JavaScript"> is now <script type="text/javascript">
<SCRIPT LANGUAGE="JavaScript1.1"> is now <script type="text/javascript1.1">
<SCRIPT LANGUAGE="VBScript"> is now <script type="text/vbscript">
<SCRIPT LANGUAGE="TCL"> is now <script type="text/tcl">
REFERENCES:
There comes a need for many organizations (or individuals) to establish proxy servers on their network. This is usually done for reasons of security or network topology. While the use of proxy servers simpifies some aspects of networking, it comes at the cost of maintaining the browser configuration of every network device (usually browsers). Netscape provided a mechanism to automate much of this problem by allowing the browser to retrieve the proxy configuration from a centrally managed server.
The proxy autoconfig file is written in JavaScript, it should be a separate file that has the proper filename extension and MIME type when provided from a webserver.
The file must define the function:
function FindProxyForURL(url, host)
{
...
}
1. FILENAME EXTENSION:
.pac
2. MIME TYPE:
application/x-ns-proxy-autoconfig
3. REFERENCES:
4. ApacheHTTP config.
Add the following to the httpd.conf file:
Redirect permanent /wpad.dat {yourdomain}/proxy.pac
AddType application/x-ns-proxy-autoconfig .pac
5. EXAMPLE:
/* 'proxy.pac' - This is the main function called by any browser */
function FindProxyForURL(url, host)
{if (isPlainHostName(host) || // No Proxy for Non FQDN names
shExpMatch(host, “*.localnet”) || // No Proxy for internal network
shExpMatch(host, “127.0.0.1”) || // No Proxy for LocalHost
shExpMatch(host, “localhost”) || // No Proxy for LocalHost
shExpMatch(host, “mailhost”) || // No Proxy for MailHost
dnsDomainIs(host, “giantgeek.com”) || // No Proxy
return “DIRECT”;else {
return “PROXY proxy.giantgeek.com:8080; PROXY proxy.giantgeek.com:8090; PROXY proxy2.giantgeek.com:8080”;} //End else
} // End function FindProxyForUrl
NOTE: Also see my ‘WPAD’ blog entry.