- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 03 Jun 2011 09:28:33 -0400
On 6/3/11 8:09 AM, Nils Dagsson Moskopp wrote:
> Eduard Pascual<herenvardo at gmail.com> schrieb am Fri, 3 Jun 2011
> 10:23:25 +0200:
>
>> This grants the ability for any content provider to use an explicit
>> "Content-Disposition: inline" HTTP header to effectively block
>> "download links" from arbitrary sources.
>
> ? thus placing a burden on content providers. If browser makers think
> content providers cannot even get their MIME types right (see image /
> video sniffing discussion), what makes you think anyone would configure
> headers for no immediate benefit?
There are two ways to get correct things to happen in a setup where the
HTTP header is authoritative but optional and other sources can provide
the information when the header is absent.
1) Send the right header.
2) Not send the header at all, and let other sources of information
work.
In the content-type case, some popular web servers have historically
defaulted to a third option: "Send a bogus header and to hell with it".
As a result, almost no one uses option 2 above (since it involves at
best reconfiguring the HTTP server and at worst switching to a different
HTTP server), and doing option 1 is hard, so the situation ends up bad.
For content-disposition, on the other hand, the vast majority of content
is already using option 2 above. That's the path of least resistance
for content providers, so only providers who are trying to go out of
their way to change the behavior will do something else. That
significantly reduces the chances of them sending bogus headers.
-Boris
Received on Friday, 3 June 2011 06:28:33 UTC