Uses of content-disposition in an HTTP response header

by

Note that RFC 6266 supersedes the RFCs referenced below. Section 7 outlines some of the related security concerns.

The authority on the content-disposition header is RFC 1806 and RFC 2183. People have also devised content-disposition hacking. It is important to note that the content-disposition header is not part of the HTTP 1.1 standard.

The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of content disposition:

15.5 Content-Disposition Issues

RFC 1806 [35], from which the often
implemented Content-Disposition
(see section 19.5.1) header in HTTP is
derived, has a number of very
serious security considerations.
Content-Disposition is not part of
the HTTP standard, but since it is
widely implemented, we are
documenting its use and risks for
implementors. See RFC 2183 [49]
(which updates RFC 1806) for details.

More Related Contents:

  1. Difference between Pragma and Cache-Control headers?
  2. What HTTP response headers are required
  3. application/x-www-form-urlencoded or multipart/form-data?
  4. Do I need Content-Type: application/octet-stream for file download?
  5. Maximum on HTTP header values?
  6. ‘Refresh’ HTTP header
  7. Is there a practical HTTP Header length limit?
  8. Detecting the character encoding of an HTTP POST request
  9. What are all the possible values for HTTP “Content-Type” header?
  10. Ideal HTTP cache control headers for different types of resources
  11. Remove http referer
  12. HTTP Range header
  13. How can I get the clients IP address from HTTP headers?
  14. Content-Length header with HEAD requests?
  15. Difference between Content-Range and Range headers?
  16. How does “304 Not Modified” work exactly?
  17. How big can a user agent string get?
  18. What is Cache-Control: private?
  19. How can I find out whether a server supports the Range header?
  20. What is a full specification of X-Forwarded-Proto HTTP header?
  21. Does the HTTP Protocol support multiple content types in response headers?
  22. What is the http-header “X-XSS-Protection”?
  23. What is HTTP “Host” header?
  24. What does HTTP/1.1 302 mean exactly?
  25. HTTP Cache Control max-age, must-revalidate
  26. Is the Content-Length header required for a HTTP/1.0 response?
  27. Is REST DELETE really idempotent?
  28. What is the proper HTTP response to send for requests that require SSL/TLS
  29. Keep-alive header clarification
  30. S3: How to do a partial read / seek without downloading the complete file?

Leave a Comment