Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for the HTTP header X-Download-Options #3388

Open
JaneX8 opened this issue Apr 21, 2017 · 2 comments
Open

Add support for the HTTP header X-Download-Options #3388

JaneX8 opened this issue Apr 21, 2017 · 2 comments
Labels
Support data suggestion

Comments

@JaneX8
Copy link
Contributor

JaneX8 commented Apr 21, 2017

The X-Download-Options HTTP header has only one option: X-Download-Options: noopen. This is for Internet Explorer from version 8 on to instruct the browser not to open a download directly in the browser, but instead to provide only the ‘Save’ option. The user has to first save it and then open it in an application. The reason for this is that when HTML files download from the application, the browser will render it directly inline. That means that the file renders as part of the application and has direct access to the security context of it, meaning it may run phishing attacks or maybe access critical domain cookies.

https://rorsecurity.info/portfolio/new-http-headers-for-more-security
@JaneX8 JaneX8 mentioned this issue Apr 21, 2017
Closed
@Malvoz
Copy link
Contributor

Malvoz commented Nov 25, 2018
edited
Loading

There is a request for implementation in Edge:
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/18488178/

However, it may be that the security issue is solved in Edge, and that the only benefit of adding this to Edge would be to allow developers to hide the "Open" button after file downloads just for the sake of hiding it.

@Medvezo Medvezo mentioned this issue Mar 29, 2019
Closed
@Loqova
Copy link

Loqova commented Jun 10, 2022

I think this needs to be documented and can be part of the security category on CanIUse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Support data suggestion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Fyrd @JaneX8 @Malvoz @Loqova