# ceo@xxxxxxxxx / 2006-12-15 22:55:54 -0600:
> On Tue, December 12, 2006 11:04 am, Frank M. Kromann wrote:
> > if you use:
> >
> > header("Content-Type: application/zip");
> > header("Content-Disposition: attachment; filename=\"somefile.zip\"");
> >
> > That works for me with IE 6/7 and other browsers.
>
> Argggggh.
>
> Please read this:
> http://richardlynch.blogspot.com/
>
> Go test with MORE browsers and MORE OSes, because you haven't yet hit
> the ones where your Content-Disposition does not work, and they are
> out there somewhere.
As if it mattered that much. The filename's just a hint, the browser
can be configured to ignore it even if it understands it, whatever.
I would even say you're bound to hit a browser configured for some
unintelligent reason to handle all app/o-s files with winamp. So what?
You cannot count on anything the UA will/not do to the content.
BTW, the "1995 johnny-come-lately Microsoft made-up Content-disposition
header" has been proposed for MIME by Qualcomm (RFC1806, RFC2183).
HTTP/1.1 (RFC2616) says:
15.5 Content-Disposition Issues:
RFC 1806 [35], from which the often implemented Content-Disposition
(see section 19.5.1) header in HTTP is derived, has a number of very
serious security considerations. Content-Disposition is not part of
the HTTP standard, but since it is widely implemented, we are
documenting its use and risks for implementors. See RFC 2183 [49]
(which updates RFC 1806) for details.
[...]
19.5.1 Content-Disposition
The Content-Disposition response-header field has been proposed as a
means for the origin server to suggest a default filename if the user
requests that the content is saved to a file. This usage is derived
from the definition of Content-Disposition in RFC 1806 [35].
content-disposition = "Content-Disposition" ":"
disposition-type *( ";" disposition-parm )
disposition-type = "attachment" | disp-extension-token
disposition-parm = filename-parm | disp-extension-parm
filename-parm = "filename" "=" quoted-string
disp-extension-token = token
disp-extension-parm = token "=" ( token | quoted-string )
An example is
Content-Disposition: attachment; filename="fname.ext"
The receiving user agent SHOULD NOT respect any directory path
information present in the filename-parm parameter, which is the only
parameter believed to apply to HTTP implementations at this time. The
filename SHOULD be treated as a terminal component only.
If this header is used in a response with the application/octet-
stream content-type, the implied suggestion is that the user agent
should not display the response, but directly enter a `save response
as...' dialog.
See section 15.5 for Content-Disposition security issues.
--
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man. You don't KNOW.
Cause you weren't THERE. http://bash.org/?255991
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
