To prevent direct opening of attachments that may contain
harmful content, a content-disposition header has been added that
instructs the browser to save the file attachment rather than opening
it directly.
About this task
The downside of this is that attachments of known file types
(jpg, pdf, and so on) that would have opened now requires additional
steps for the customer. A whitelist mechanism has been implemented
using two
notes.ini file variables to allow customers
to specify file types that should not be prevented from downloading.
- iNotes_WA_Sec_AttachCDHeader
- If set to 0, turns off the header setting.
- If set to 1 (default), sets the header for all file types except
those in the whitelist, plus (if the user-agent indicates Mobile and
Safari) .bmp, .gif, .jpg, and text, plus (if the user-agent indicates
Mobile and Safari and Android) the extensions already listed, plus
.csv, .doc, .pdf, .ppt, and .xls.
- If set to 2, sets the header for all file types except those in
the whitelist. This allows device browsers to open the default file
types in cases where either the notes.ini value
is set to 1, or is not set at all. In this case, both the default
four file types and those entered in the notes.ini file
are used.
- iNotes_WA_Sec_AttachCDWhiteList Specifies a
comma-delimited list of attachment types to allow opening directly,
for example, iNotes_WA_Sec_AttachCDWhiteList=jpg,pdf,gif