Incorrect content type for changelog downloads

Started by tomreyn, July 23, 2020, 12:35:38 PM

Previous topic - Next topic

tomreyn

Changelog downloads, such as
https://download.simplemachines.org/index.php/smf_2-0-16_changelog.txt
download with content-type: application/zip. Which it clearly isn't. Please update the server side script to provide the correct content-type (probably text/plain here).

vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Arantor

No repro for me.

accept-ranges: bytes
cache-control: max-age=31536000, private
content-disposition: attachment; filename="smf_2-0-16_changelog.txt"
content-encoding: gzip
content-transfer-encoding: binary
content-type: application/octet-stream
date: Thu, 23 Jul 2020 16:10:54 GMT
expires: Fri, 23 Jul 2021 16:52:16 GMT
last-modified: Sat, 28 Dec 2019 05:05:01 GMT
pragma
server: nginx
set-cookie
status: 200
vary: Accept-Encoding
x-content-security-policy: allow 'self' http://*.googlesyndication.com https://*.googlesyndication.com; options inline-script eval-script; img-src *; script-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com http://*.googlesyndication.com http://*.doubleclick.net https://*.simplemachines.org https://*.simplemachinesweb.com https://*.googlesyndication.com https://*.doubleclick.net; style-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com https://*.simplemachines.org https://*.simplemachinesweb.com; frame-ancestors none;
x-frame-options: SAMEORIGIN
x-httpd-a: 10.0.100.114:8080
x-httpd-t: 0.179
x-lb-app: 10.0.100.135


This is from the direct link rather than the mirror, but I get the same content type either way of application/octet-stream which is valid as per spec.

The reason it's done that way is because back in the day there were complaints from people who clicked on the link and it opened in their browser without a back button, so it's part of the way it forces the download because old browsers didn't properly respect Content-Disposition and the script has never been updated to do it.

Though I'd honestly have to wonder why it matters; the point is to force a download, you'd get the same thing with Content-Disposition: attachment but you'd have a slightly different MIME type... and no-one would be any the wiser because all practical matters are that the file would be downloaded rather than viewed (and if *that* was your complaint, you should have said so)

vbgamer45

I get it in firefox
Quote
   
GET
   https://download.simplemachines.org/index.php/smf_2-0-17_changelog.txt
Status200
OK
VersionHTTP/2
Transferred1.05 KB (890.73 KB size)
Referrer Policyno-referrer-when-downgrade

   
accept-ranges
   bytes
cache-control
   max-age=31536000, private
content-disposition
   attachment; filename="smf_2-0-17_changelog.txt"
content-encoding
   gzip
content-type
   application/zip
date
   Thu, 23 Jul 2020 18:08:37 GMT
expires
   Fri, 23 Jul 2021 18:08:37 GMT
last-modified
   Tue, 31 Dec 2019 03:49:39 GMT
pragma
   
server
   nginx
set-cookie
   
vary
   Accept-Encoding
x-content-security-policy
   allow 'self' http://*.googlesyndication.com https://*.googlesyndication.com; options inline-script eval-script; img-src *; script-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com http://*.googlesyndication.com http://*.doubleclick.net https://*.simplemachines.org https://*.simplemachinesweb.com https://*.googlesyndication.com https://*.doubleclick.net; style-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com https://*.simplemachines.org https://*.simplemachinesweb.com; frame-ancestors none;
X-Firefox-Spdy
   h2
x-frame-options
   SAMEORIGIN
x-httpd-a
   10.0.100.111:8080
x-httpd-t
   0.209
x-lb-app
   10.0.100.134
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

tomreyn

Thanks to both of you for looking into this.

@vbgamer45: Right, that's what I see, too, an application/zip content type, as originally reported.

@Arantor: Your request logs differ from mine, so some of the environment and/or parameters must have differed, too.

I was using Firefox 78.0.2, but testing a little with copying the request 'as curl' from the Network tab of Firefox's web developer tools, and simplifying the request by dropping many parameters showed that only two parameters must be set:


  • the P cookie, which had to have a value previously set / returned by the server / application
  • the browsers' user agent (I have not tried to simplify the UA further)

$ curl -I 'https://download.simplemachines.org/index.php/smf_2-0-16_changelog.txt' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Cookie: P=[redactedcookievalue]'
HTTP/2 200
server: nginx
date: Thu, 23 Jul 2020 16:30:37 GMT
content-type: application/zip
expires: Fri, 23 Jul 2021 16:30:37 GMT
cache-control: max-age=31536000, private
pragma:
x-frame-options: SAMEORIGIN
x-content-security-policy: allow 'self' http://*.googlesyndication.com https://*.googlesyndication.com; options inline-script eval-script; img-src *; script-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com http://*.googlesyndication.com http://*.doubleclick.net https://*.simplemachines.org https://*.simplemachinesweb.com https://*.googlesyndication.com https://*.doubleclick.net; style-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com https://*.simplemachines.org https://*.simplemachinesweb.com; frame-ancestors none;
last-modified: Sat, 28 Dec 2019 05:05:01 GMT
accept-ranges: bytes
set-cookie:
content-disposition: attachment; filename="smf_2-0-16_changelog.txt"
x-httpd-a: 10.0.100.113:8080, 10.0.100.111:8080
x-lb-app: 10.0.100.134
x-httpd-t: -, 0.054


The reason I originally reported this is that these downloads are offered as ZIP archives, which makes the browser offer applications for opening it which are unsuitable for viewing plain text files:



About forcing a download:
This was not the topic I wanted discuss originally, and so did not bring it up. I I don't personally see a need to force a text file download, personally find it more convenient to have the web browser show content it can show by itself, and I can always force a download if I want to. But I understand there can be different opinions on this matter, and different needs.

So if the intention is to force a download, then the commonly used (but not standardized) content type for this would seem to be application/force-download, whereas the approach conforming with web standards should really be an unmodified Content-Type (so text/plain) combined with the Content-Disposition: attachment header. How web browsers handle this header may differ (I cannot tell); support for the Content-Disposition header is widely implemented).


The following is just for completeness.

Original request header (triggered by the request/response against https://download.simplemachines.org/index.php?thanks;filename=smf_2-0-16_changelog.txt):
GET /index.php/smf_2-0-16_changelog.txt HTTP/1.1
Host: download.simplemachines.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://download.simplemachines.org/index.php?thanks;filename=smf_2-0-16_changelog.txt
DNT: 1
Connection: keep-alive
Cookie: P=[redacted]; OAID=[redacted]; SMFCookieDE001=[redacted]
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache


As curl command (replace [redacted] by legitimate values, or the result will be misleading):
curl 'https://download.simplemachines.org/index.php/smf_2-0-16_changelog.txt' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: https://download.simplemachines.org/index.php?thanks;filename=smf_2-0-16_changelog.txt' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Cookie: P=[redacted]; OAID=[redacted]; SMFCookieDE001=[redacted]' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'TE: Trailers'

Original response header:
HTTP/2 200 OK
server: nginx
date: Thu, 23 Jul 2020 19:41:51 GMT
content-type: application/zip
expires: Fri, 23 Jul 2021 20:23:13 GMT
cache-control: max-age=31536000, private
pragma:
x-frame-options: SAMEORIGIN
x-content-security-policy: allow 'self' http://*.googlesyndication.com https://*.googlesyndication.com; options inline-script eval-script; img-src *; script-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com http://*.googlesyndication.com http://*.doubleclick.net https://*.simplemachines.org https://*.simplemachinesweb.com https://*.googlesyndication.com https://*.doubleclick.net; style-src 'self' http://*.simplemachines.org http://*.simplemachinesweb.com https://*.simplemachines.org https://*.simplemachinesweb.com; frame-ancestors none;
last-modified: Sat, 28 Dec 2019 05:05:01 GMT
accept-ranges: bytes
set-cookie:
content-disposition: attachment; filename="smf_2-0-16_changelog.txt"
content-encoding: gzip
vary: Accept-Encoding
x-httpd-a: 10.0.100.114:8080
x-lb-app: 10.0.100.135
x-httpd-t: 0.156
X-Firefox-Spdy: h2

SleePy

The gzip is because your browser supports gzip decompression, so the server is able to compress the contents to send.  You can test that by omitting that in your request headers.  Would have to look at why its sending the wrong content type though.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Advertisement: