bogus Content-Disposition header field sent to Firefox

Started by reschke, September 08, 2011, 05:42:02 AM

Previous topic - Next topic

reschke

We believe the site is sending a bogus Content-Disposition header field for download links (to Firefox). This will cause Firefox 8 to ignore them.

See details in Mozilla Bugzilla entry 685060.

mashby

Mind providing a link to Mozilla Bugzilla entry 685060? Firefox 8?
Always be a little kinder than necessary.
- James M. Barrie

reschke

I would have done that if the forum software would let me do it.

Let's try this:

bugzilla.mozilla.org/show_bug.cgi?id=685060

Kindred

Firefox 8? ???

Firefox 7 was just released in Beta...   We don't even pretend to support alpha versions of browser softwares...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

reschke

Firefox 8 goes beta in three weeks and will be released in nine weeks. At that point, the download links will fail to work (the name not being used).

This is caused by the software special-casing Firefox, and sending a broken header field value, which won't be accepted anymore.




Thantos

What did FF change in this regard and when?  I'm worried that just removing the FF case will break some of the older versions of FF.

Can you also provide the UA that FF8 is using?

reschke

It's all in the bug report I linked to.

Essentially, when using the "filename*" notation, the value of the parameter must not use double quotes. That notation will work with all browsers that support "filename*", which are all except Safari and Internet Explorer < version 9.

See greenbytes.de/tech/tc2231/#attwithfn2231quot [nofollow]

And no, you don't need to check for a specific Firefox version.

Thantos

Ok I see the problem.  We are sending
QuoteContent-Disposition: attachment; filename*="UTF-8''Adk_Menu_Buttons.zip"
When we should be sending
QuoteContent-Disposition: attachment; filename*="UTF-8''Adk_Menu_Buttons.zip

Looking at the code I think I see how the error came in.

Thantos


reschke

Quote from: Thantos on September 08, 2011, 10:15:01 AM
Ok I see the problem.  We are sending
QuoteContent-Disposition: attachment; filename*="UTF-8''Adk_Menu_Buttons.zip"
When we should be sending
QuoteContent-Disposition: attachment; filename*="UTF-8''Adk_Menu_Buttons.zip

Looking at the code I think I see how the error came in.

Actually there shouldn't be a double quote after the filename*=.

You may want to validate what you have with redbot.org [nofollow] (which does validity checks on HTTP responses).

Thantos

Thanks, missed that one.  Will fix the patch. (stupid quotes are so hard to see first thing in the morning).

reschke

Quote from: Thantos on September 08, 2011, 11:05:35 AM
Thanks, missed that one.  Will fix the patch. (stupid quotes are so hard to see first thing in the morning).

:-) That's why the online validator is so useful.


Thantos

Yeah, too bad my test boxes aren't public facing and I'd be lynched if I just made the changes here without testing/validating it first :D

Thantos

Quote from: Mongoose on September 09, 2011, 10:29:38 AM
The same for Opera browser
What's the problem for the opera browser?  It gives a correct format:
Quote
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 09 Sep 2011 14:33:36 GMT
    Content-Type: application/octetstream
    Connection: keep-alive
    Set-Cookie:
    Expires: Sat, 08 Sep 2012 14:33:36 GMT
    Cache-Control: max-age=31536000
    Pragma:
    Content-Encoding: none
    Last-Modified: Sun, 17 Jul 2011 01:07:14 GMT
    Accept-Ranges: bytes
    ETag: "f6f5ef22730e6607b63d7c1c399ea651"
    Content-Transfer-Encoding: binary
    Content-Disposition: attachment; filename="Adk_Menu_Buttons.zip"
    Content-Length: 14123
redbot results

reschke

#14
The only reason to send filename* instead of filename is because the filename might contain characters outside the ASCII range.

If it never does, don't bother with filename*.

If it does, just "filename" doesn't work interoperably. Your best bet is to use the filename* format (following RFCs 5987 and 6266), and to use that for all browsers except for legacy ones (IE < 9) and broken ones (Safari). For those, you can strip out non-ASCII characters and use the simpler format.

RFC 6266, Appendix D (greenbytes.de/tech/webdav/rfc6266.html#rfc.section.D) has the details. See also trac.tools.ietf.org/wg/httpbis/trac/wiki/ContentDispositionProducerAdvice [nofollow]

Thantos


reschke

#16
Again, avoid UA sniffing if you can.

Opera, Chrome, Firefox, IE (>=9) and Konqueror all accept the same notation.


Mongoose

Sorry guys for false alarm.
There was a "Mask as Firefox" option enabled by mistake in my browser.

SleePy

Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Advertisement: