Re: Problems with Zip+IE6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



# ceo@xxxxxxxxx / 2006-12-15 22:55:54 -0600:
> On Tue, December 12, 2006 11:04 am, Frank M. Kromann wrote:
> > if you use:
> >
> > header("Content-Type: application/zip");
> > header("Content-Disposition: attachment; filename=\"somefile.zip\"");
> >
> > That works for me with IE 6/7 and other browsers.
> 
> Argggggh.
> 
> Please read this:
> http://richardlynch.blogspot.com/
> 
> Go test with MORE browsers and MORE OSes, because you haven't yet hit
> the ones where your Content-Disposition does not work, and they are
> out there somewhere.

As if it mattered that much. The filename's just a hint, the browser
can be configured to ignore it even if it understands it, whatever.
I would even say you're bound to hit a browser configured for some
unintelligent reason to handle all app/o-s files with winamp. So what?
You cannot count on anything the UA will/not do to the content.

BTW, the "1995 johnny-come-lately Microsoft made-up Content-disposition
header" has been proposed for MIME by Qualcomm (RFC1806, RFC2183).

HTTP/1.1 (RFC2616) says:

15.5 Content-Disposition Issues:

   RFC 1806 [35], from which the often implemented Content-Disposition
   (see section 19.5.1) header in HTTP is derived, has a number of very
   serious security considerations. Content-Disposition is not part of
   the HTTP standard, but since it is widely implemented, we are
   documenting its use and risks for implementors. See RFC 2183 [49]
   (which updates RFC 1806) for details.

[...]

19.5.1 Content-Disposition

   The Content-Disposition response-header field has been proposed as a
   means for the origin server to suggest a default filename if the user
   requests that the content is saved to a file. This usage is derived
   from the definition of Content-Disposition in RFC 1806 [35].

        content-disposition = "Content-Disposition" ":"
                              disposition-type *( ";" disposition-parm )
        disposition-type = "attachment" | disp-extension-token
        disposition-parm = filename-parm | disp-extension-parm
        filename-parm = "filename" "=" quoted-string
        disp-extension-token = token
        disp-extension-parm = token "=" ( token | quoted-string )

   An example is

        Content-Disposition: attachment; filename="fname.ext"

   The receiving user agent SHOULD NOT respect any directory path
   information present in the filename-parm parameter, which is the only
   parameter believed to apply to HTTP implementations at this time. The
   filename SHOULD be treated as a terminal component only.

   If this header is used in a response with the application/octet-
   stream content-type, the implied suggestion is that the user agent
   should not display the response, but directly enter a `save response
   as...' dialog.

   See section 15.5 for Content-Disposition security issues.

-- 
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man.  You don't KNOW.
Cause you weren't THERE.             http://bash.org/?255991

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux