Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Issues that might arise due to having content disposition inline on images

Avatar

Avatar
Validate 1
Level 1
Prem_IB
Level 1

Likes

0 likes

Total Posts

10 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile

Avatar
Validate 1
Level 1
Prem_IB
Level 1

Likes

0 likes

Total Posts

10 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile
Prem_IB
Level 1

21-02-2021

I have already asked the same question before on the forum, sorry for posting again. l asked the following question.

 

"I am trying to display images (png, jpeg, gif, svg) directly on browser instead of letting the users downloading it. I've read from so many places that having content disposition header as inline might cause some security issues, and it is better to have it as attachment. Can anyone provide me a scenario where this might be a problem?"

 

From the answers from my previous post, I could see mostly the security issue are caused when a malicious attacker injects a script along with the image. Can we tackle this problem by adding a Content-Security-Policy script-src 'none'? my use case for this question only requires the displaying of the image on browser window, and nothing else.

View Entire Topic

Avatar

Avatar
Validate 10
MVP
kunal23
MVP

Likes

166 likes

Total Posts

565 posts

Correct Reply

172 solutions
Top badges earned
Validate 10
Validate 1
Ignite 3
Ignite 1
Give Back 50
View profile

Avatar
Validate 10
MVP
kunal23
MVP

Likes

166 likes

Total Posts

565 posts

Correct Reply

172 solutions
Top badges earned
Validate 10
Validate 1
Ignite 3
Ignite 1
Give Back 50
View profile
kunal23
MVP

21-02-2021

You can add img-src attribute in CSP header to reliably load images from trusted domains only. 

 

For more details, please see this - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP