Stream: hapi
Topic: Binary Resource Content-Disposition
Michael Lawley (Feb 28 2017 at 00:25):
In the code that serves up Binary Resources the Content-Disposition header is explicitly forced to equal "Attachment;"
The associated comment suggests this is a security measure to avoid malicous images being served up as content. There are two unfortunate consequences of this:
1. It doesn't work - if you include <img src="/Binary/id-for-image"> in a page then browsers will happily render that image
2. It stuff up other uses - if you include <object data=/Binary/id-for-video"></object> then browsers download the video rather than playing it (actually my use-case is SVG not video)
So, is this really a useful bit of code? Is there any way to work around it?
Grahame Grieve (Feb 28 2017 at 00:42):
I thought #2 was the security related issue
Michael Lawley (Feb 28 2017 at 01:30):
So, my use-case is that I have image/svg+xml content in my Binary resources and I want to include them in <object> tags in my html. This "fails" as the svg is not rendered but instead downloaded. It works fine with <img> tags, however.
But, I'm not sure I understand what is being protected against.
Grahame Grieve (Feb 28 2017 at 01:35):
<object> is illegal, for a start
Michael Lawley (Feb 28 2017 at 01:38):
What do you mean illegal? I'm not talking about narrative - I have a web app that's doing this
Grahame Grieve (Feb 28 2017 at 01:38):
sorry it's just me that assumed that html = narrative
Last updated: Apr 12 2022 at 19:14 UTC
