NEW CHECK - X-Download-Options


The check would see if the Content-Disposition header exists in the response and verify that the 'X-Download-Options: noopen' header is present.


ericlaw1979 wrote Apr 1 at 3:42 PM

Curious: What threat do you aim to mitigate with X-Download-Options? Generally, this header isn't required for any security purpose, and even if it were, it would be related to the MIME type of the target resource.

chrisweber wrote Apr 1 at 4:32 PM

Here's some background info ;) http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx

Ya, I think it that the security-usefulness of this would be very context-specific, and probably generate a lot of false positives. I should probably go ahead and close this one, it was never implemented as a check.

ericlaw1979 wrote Apr 3 at 7:21 PM

Well played, Chris, well played. :-)