No repro for me.
accept-ranges: bytes
cache-control: max-age=31536000, private
content-disposition: attachment; filename="smf_2-0-16_changelog.txt"
content-encoding: gzip
content-transfer-encoding: binary
content-type: application/octet-stream
date: Thu, 23 Jul 2020 16:10:54 GMT
expires: Fri, 23 Jul 2021 16:52:16 GMT
last-modified: Sat, 28 Dec 2019 05:05:01 GMT
pragma
server: nginx
set-cookie
status: 200
vary: Accept-Encoding
x-content-security-policy: allow 'self' http://*.googlesyndication.com https://*.googlesyndication.com; options inline-script eval-script; img-src *; script-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com http://*.googlesyndication.com http://*.doubleclick.net https://*.simplemachines.org https://*.simplemachinesweb.com https://*.googlesyndication.com https://*.doubleclick.net; style-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com https://*.simplemachines.org https://*.simplemachinesweb.com; frame-ancestors none;
x-frame-options: SAMEORIGIN
x-httpd-a: 10.0.100.114:8080
x-httpd-t: 0.179
x-lb-app: 10.0.100.135
This is from the direct link rather than the mirror, but I get the same content type either way of application/octet-stream which is valid as per spec.
The reason it's done that way is because back in the day there were complaints from people who clicked on the link and it opened in their browser without a back button, so it's part of the way it forces the download because old browsers didn't properly respect Content-Disposition and the script has never been updated to do it.
Though I'd honestly have to wonder why it matters; the point is to force a download, you'd get the same thing with Content-Disposition: attachment but you'd have a slightly different MIME type... and no-one would be any the wiser because all practical matters are that the file would be downloaded rather than viewed (and if *that* was your complaint, you should have said so)
Thanks to both of you for looking into this.
@vbgamer45: Right, that's what I see, too, an application/zip content type, as originally reported.
@Arantor: Your request logs differ from mine, so some of the environment and/or parameters must have differed, too.
I was using Firefox 78.0.2, but testing a little with copying the request 'as curl' from the Network tab of Firefox's web developer tools, and simplifying the request by dropping many parameters showed that only two parameters must be set:
- the P cookie, which had to have a value previously set / returned by the server / application
- the browsers' user agent (I have not tried to simplify the UA further)
$ curl -I 'https://download.simplemachines.org/index.php/smf_2-0-16_changelog.txt' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Cookie: P=[redactedcookievalue]'
HTTP/2 200
server: nginx
date: Thu, 23 Jul 2020 16:30:37 GMT
content-type: application/zip
expires: Fri, 23 Jul 2021 16:30:37 GMT
cache-control: max-age=31536000, private
pragma:
x-frame-options: SAMEORIGIN
x-content-security-policy: allow 'self' http://*.googlesyndication.com https://*.googlesyndication.com; options inline-script eval-script; img-src *; script-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com http://*.googlesyndication.com http://*.doubleclick.net https://*.simplemachines.org https://*.simplemachinesweb.com https://*.googlesyndication.com https://*.doubleclick.net; style-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com https://*.simplemachines.org https://*.simplemachinesweb.com; frame-ancestors none;
last-modified: Sat, 28 Dec 2019 05:05:01 GMT
accept-ranges: bytes
set-cookie:
content-disposition: attachment; filename="smf_2-0-16_changelog.txt"
x-httpd-a: 10.0.100.113:8080, 10.0.100.111:8080
x-lb-app: 10.0.100.134
x-httpd-t: -, 0.054
The reason I originally reported this is that
these downloads are offered as ZIP archives, which makes the browser offer applications for opening it which are unsuitable for viewing plain text files:
(https://i.imgur.com/dAnEMTF.png)
About forcing a download:
This was
not the topic I wanted discuss originally, and so did not bring it up. I I don't personally see a need to force a text file download, personally find it more convenient to have the web browser show content it can show by itself, and I can always force a download if I want to. But I understand there can be different opinions on this matter, and different needs.
So if the intention is to force a download, then the commonly used (but not standardized) content type for this would seem to be
application/force-download, whereas the approach conforming with web standards should really be an unmodified
Content-Type (so
text/plain) combined with the
Content-Disposition: attachment header. How web browsers handle this header may differ (I cannot tell); support for the
Content-Disposition header is widely implemented (https://caniuse.com/#search=Content-Disposition)).
The following is just for completeness.
Original request header (triggered by the request/response against
https://download.simplemachines.org/index.php?thanks;filename=smf_2-0-16_changelog.txt):
GET /index.php/smf_2-0-16_changelog.txt HTTP/1.1
Host: download.simplemachines.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://download.simplemachines.org/index.php?thanks;filename=smf_2-0-16_changelog.txt
DNT: 1
Connection: keep-alive
Cookie: P=[redacted]; OAID=[redacted]; SMFCookieDE001=[redacted]
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
As curl command (replace
[redacted] by legitimate values, or the result will be misleading):
curl 'https://download.simplemachines.org/index.php/smf_2-0-16_changelog.txt' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: https://download.simplemachines.org/index.php?thanks;filename=smf_2-0-16_changelog.txt' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Cookie: P=[redacted]; OAID=[redacted]; SMFCookieDE001=[redacted]' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'TE: Trailers'
Original response header:
HTTP/2 200 OK
server: nginx
date: Thu, 23 Jul 2020 19:41:51 GMT
content-type: application/zip
expires: Fri, 23 Jul 2021 20:23:13 GMT
cache-control: max-age=31536000, private
pragma:
x-frame-options: SAMEORIGIN
x-content-security-policy: allow 'self' http://*.googlesyndication.com https://*.googlesyndication.com; options inline-script eval-script; img-src *; script-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com http://*.googlesyndication.com http://*.doubleclick.net https://*.simplemachines.org https://*.simplemachinesweb.com https://*.googlesyndication.com https://*.doubleclick.net; style-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com https://*.simplemachines.org https://*.simplemachinesweb.com; frame-ancestors none;
last-modified: Sat, 28 Dec 2019 05:05:01 GMT
accept-ranges: bytes
set-cookie:
content-disposition: attachment; filename="smf_2-0-16_changelog.txt"
content-encoding: gzip
vary: Accept-Encoding
x-httpd-a: 10.0.100.114:8080
x-lb-app: 10.0.100.135
x-httpd-t: 0.156
X-Firefox-Spdy: h2
The gzip is because your browser supports gzip decompression, so the server is able to compress the contents to send. You can test that by omitting that in your request headers. Would have to look at why its sending the wrong content type though.