A quick check confirmed that response header Content-Disposition can direct browsers to display or save a file.
I used my tcp-honeypot.py to serve 3 HTTP responses:
HTTP/1.1 200 OK
Content-Disposition: inlineLine 1
Line 2
Line 3
HTTP/1.1 200 OK
Content-Disposition: attachmentLine 1
Line 2
Line 3
HTTP/1.1 200 OK
Content-Disposition: attachment; filename=”test.js”Line 1
Line 2
Line 3
Only the Content-Disposition response header changes between these 3 responses.
With Content-Disposition response header “inline”, Internet Explorer displays the content inside the browser window:
With Content-Disposition response header “attachment”, Internet Explorer proposes to save the content to disk using a generated filename:
With Content-Disposition response header “attachment; filename=”test.js””, Internet Explorer proposes to open or save the content to disk using the provided filename test.js:
When option Open is selected, file test.js will be opened with the Windows scripting host (after warnings are clicked away).
The behavior of Edge is quite similar:
Google Chrome saves the file to disk without prompting the user (attachment):
And Firefox prompts the user (attachment):
Tests were conducted on a fully patched Windows 10 1809 machine, with default configurations for Internet Explorer and Edge.
The latest versions of Chrome and Firefox were installed with default configurations.
Didier Stevens 
[…] Quickpost: Browsers & Content-Disposition […]
Pingback by Overview of Content Published in April | Didier Stevens — Sunday 19 May 2019 @ 7:55
[…] my quickpost “Quickpost: Browsers & Content-Disposition“, I needed a simple web server that would serve a page that I could fully control (headers […]
Pingback by Quickpost: tcp-honeypot.py & Browser Tests | Didier Stevens — Tuesday 30 July 2019 @ 0:00