1
Vote

NEW CHECK - X-Download-Options

description

The check would see if the Content-Disposition header exists in the response and verify that the 'X-Download-Options: noopen' header is present.

comments

ericlaw1979 wrote Apr 1, 2014 at 3:42 PM

Curious: What threat do you aim to mitigate with X-Download-Options? Generally, this header isn't required for any security purpose, and even if it were, it would be related to the MIME type of the target resource.

chrisweber wrote Apr 1, 2014 at 4:32 PM

Here's some background info ;) http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx

Ya, I think it that the security-usefulness of this would be very context-specific, and probably generate a lot of false positives. I should probably go ahead and close this one, it was never implemented as a check.

ericlaw1979 wrote Apr 3, 2014 at 7:21 PM

Well played, Chris, well played. :-)