Didier Stevens

Thursday 4 April 2019

Quickpost: Browsers & Content-Disposition

Filed under: Quickpost — Didier Stevens @ 0:00

A quick check confirmed that response header Content-Disposition can direct browsers to display or save a file.

I used my tcp-honeypot.py to serve 3 HTTP responses:

HTTP/1.1 200 OK
Content-Disposition: inline

Line 1
Line 2
Line 3

 

HTTP/1.1 200 OK
Content-Disposition: attachment

Line 1
Line 2
Line 3

 

HTTP/1.1 200 OK
Content-Disposition: attachment; filename=”test.js”

Line 1
Line 2
Line 3

 

Only the Content-Disposition response header changes between these 3 responses.

With Content-Disposition response header “inline”, Internet Explorer displays the content inside the browser window:

With Content-Disposition response header “attachment”, Internet Explorer proposes to save the content to disk using a generated filename:

With Content-Disposition response header “attachment; filename=”test.js””, Internet Explorer proposes to open or save the content to disk using the provided filename test.js:

When option Open is selected, file test.js will be opened with the Windows scripting host (after warnings are clicked away).

The behavior of Edge is quite similar:

Google Chrome saves the file to disk without prompting the user (attachment):

And Firefox prompts the user (attachment):

Tests were conducted on a fully patched Windows 10 1809 machine, with default configurations for Internet Explorer and Edge.

The latest versions of Chrome and Firefox were installed with default configurations.


Quickpost info


1 Comment »

  1. […] Quickpost: Browsers & Content-Disposition […]

    Pingback by Overview of Content Published in April | Didier Stevens — Sunday 19 May 2019 @ 7:55


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.