[thelist] Force file download from browser?

Steve Lewis slewis at macrovista.net
Wed May 15 15:08:01 CDT 2002


Mark Gallagher wrote:

> Sometimes, whether the OP is willing to believe it or not, we (the
> users) *like* to be able to control, for *ourselves*, how our browsers
> behave.  Forcing "Save As", preventing "Save As", whatever.  It's our
> choice whether we save something permanently to disk or simply view it
> in our browsers and, frankly, none of the web designer's damn business.

...except perhaps for the fact that too many users don't have a
sufficient level of mastery with the concepts of a "client" and a
"server"--and their interactions--to be trusted with this decision.
 When the link is to a MS Word doc, you generally do not want to allow
visitors to open this document inline and modify it, and try to Save it
(rather than storing the modified content on their local drive with Save
As) because this will either confuse the user when the save fails, or
your server needs some help because you just allowed someone to save
changes to a scriptable (VBA is NOT your friend, if MS Outlook has left
any doubt in your mind) file stored on your server!

OR

...except perhaps for the fact that for security reasons, the web
application developer cannot trust the website's content author to not
compromise the security of the server, lets say by uploading files
containing malicious SSI or ASP or PHP or CF or (whatever) code to the
server, which then by calling a page-view to this script (which isn't
forced to download directly as you suggest) allows the website's content
author to execute arbitrary code on the server.  Even if you trust the
content author, who can rule out the possibility of socially engineering
malicious code onto the server in this way, through the content author?

If you are working with a dynamic website, not static pages, and you
don't know exactly what files the user is being given the option to view
or save, you had better NOT trust anyone, and you need to force
download.  I wanted to be sure these issues were not missed, even though
the do speak to a distinct subset of the folks who face the dilema of
forcing download.

--Steve




More information about the thelist mailing list