2

I've put up a web page that explains how I setup my Visual Studio settings. This includes downloads for .vsix extensions (the "Download" under "Erweiterungen installieren", "Indent Guides") or .config files (further down as "CodeMaid.config").

Internet Explorer and Edge are the only two browsers that deliberately alter the extensions of these download files into something that fails to work after download. Firefox simply does what the web server tells it and saves the downloaded file under the specified name.

I could handle the .vsix case by providing the MIME type "application/vsix" for it. Otherwise IE would have interpreted such files as .zip (which they technically are). They must not be renamed anyway because a .zip is opened totally differently than a .vsix file.

The .config file doesn't have a special MIME type though. It really is just an XML file and IE renames it to .xml. Unfortunately, it is meant to be used in a program that wants .config files.

Why is Internet Explorer breaking all kinds of things? How can it be stopped from doing such nonsense? I've found something about an HTTP header "X-Content-Type-Options: nosniff" for IE 8 but that doesn't change anything today so I suppose it's wrong or also broken. Or maybe I just need three more headers by now?

Improve this question
4
  • 2
    I went to your page in Edge and IE11, downloaded each file you mentioned, and the extensions were correct.
    – Ramhound
    Commented May 3, 2016 at 20:58
  • "mime sniffing" is a selectable item in the 'internet options' 'security' tab, when setting that for the zones, like if you adjust custom and look in there. That might be something you could look into. It is a little over 1/2 way down the list of items in there. I only assume that it checks beyond the file extention for what an item really is.
    – Psycogeek
    Commented May 3, 2016 at 21:15
  • 1
    I can't replicate the behaviour you describe. The downloads work fine for me in Edge and IE11.
    – Burgi
    Commented May 3, 2016 at 21:18
  • 1
    I found that option in the security settings, it was enabled. I disabled it but it still doesn't work. Also I'm looking for a server-side method so that I don't have to explain everybody first how to fix their broken browser. Nobody will understand or do that just to download simple files.
    – ygoe
    Commented May 7, 2016 at 9:05

1 Answer 1

Reset to default
2

Use the following HTTP headers:

  • X-Download-Options: noopen
  • Content-Disposition: attachment; filename=untrustedfile.html

MIME-Handling: Force Save

Lastly, for web applications that need to serve untrusted HTML files, we have introduced a mechanism to help prevent the untrusted content from compromising your site’s security. When the new X-Download-Options header is present with the value noopen, the user is prevented from opening a file download directly; instead, they must first save the file locally. When the locally saved file is later opened, it no longer executes in the security context of your site, helping to prevent script injection.

References

Improve this answer
1
  • Thank you, that works for IE and Edge. In fact the Content-Disposition: attachment header alone is enough and can be added in .htaccess for a number of file extensions automatically.
    – ygoe
    Commented Apr 22, 2017 at 13:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .