Headless Server Developer Manual / Version 2406.1
Table Of Contents
The MediaController is responsible for the delivery of binary contents like images and other content types.
For security reasons, the Spring framework sets the HTTP Content-Disposition response header to the static value
inline; filename=f.txt
for potentially insecure content types, for example, PDF files, unless it was
specifically set previously.
This behaviour may produce undesirable results when downloading files via the MediaController, as the filename is
anonymous and the content type is forced to the suffix txt
, no matter what the real content type might be.
It is however possible to configure Spring to suppress this default behaviour for specific content types, using
CaasConfig
.
/** * Code example to suppress the default Content-Disposition header for * potentially insecure content types. Add to CaasConfig if necessary. */ @Override public void configureContentNegotiation( ContentNegotiationConfigurer configurer ) { configurer.mediaType("pdf", MediaType.APPLICATION_PDF); configurer.mediaType("eps", new MediaType("application", "postscript")); }
Example 3.2. Configuring Content Type Resolution for PDF and EPS Files
Please see the original Spring Web MVC Documentation about Content Types for a more detailed insight about the security aspects and about so called reflected file download attacks (RFD).
Also refer to Chapter 12, Media Endpoint about how the MediaController
sets the
Content-Disposition response header.