From "Why cannot I open a PDF file directly" to "Script attack"

Let's start with a simple question.

On the internet two days ago, a user asked me the following question: "Why is a PDF file uploaded to the SharePoint 2010 document library saved only when you click the file link, but not open?"

As shown in the preceding figure, in the pop-up dialog box of the browser, you can only set the Save option, but not the open option. However, some people may remember that this was not the case in SharePoint 2007. When a user directly clicks a PDF file stored in the SharePoint 2007 Documentation library, the browser will prompt the user to open it directly, and then the locally installed pdf reader will open the PDF file directly and start reading.

Let's talk about how to solve this problem first. Open SharePoint 2010 management center, manage Web applications, select a web application, click "general settings" in the ribbon area, and then in the displayed Setting dialog box, change the configuration item "Browser file handler" from "strict" to "License" by default ".

Done! After you modify this setting, the browser displays the "open" option again, allowing you to open the PDF file directly.

Well, if you just want to solve this problem, you don't have to continue reading it.

Well, why? Okay, that's why. Change the "Browser file handler" setting in the general settings of Web applications back to the default "strict ". Open the document library. before clicking the PDF file link this time, open developer tools in the browser (open it through F12 in IE browser. The following uses ie as an example, firefox and chrome have their own similar tools ). On the "network" tab, click "Start capturing" to capture all network communication between the current browser window and the server. Click the link to the PDF file.

On the "network" tab, find the network request generated when the user clicks the PDF link and double-click it to view all the detailed request and response information of the request. Click the "Response Headers" tab to view the HTTP header information returned from the SharePoint 2010 server. Well, as shown in, you will see an interesting header, "x-download-Options = noopen ".

This is the HTTP header information, telling the browser: "Do not open this file directly, do not show the open option to the user !"

When we change the "Browser file handler" setting of the Web application from "strict" to "License" in the SharePoint 2010 management center, the SharePoint 2010 server stops adding this header in the HTTP header, so the browser will allow users to open the file directly.

By default, Sharepoint 2010 prohibits the browser from directly opening any files stored in the document library by adding the additional metadata to the HTTP header information returned to the browser. Why does the local office program automatically open when you click the Office document? This is because the script on the page will call the opendocuments ActiveX Control to start the Office program of the client and open the office document.

Why does SharePoint 2010 do this? The reason is for better security. Because SharePoint usually allows non-website administrators to upload files to the document library, it is very dangerous to allow browsers to open the files uploaded by these users. In the most severe cases, this vulnerability can provide malicious users with the vulnerability of scripting attacks, and even cause cross-site scripting attacks. Upload file to the document library. When the Administrator tries to open the Word Document, the browser may attempt to open it directly and accidentally run the script contained in the file.

Of course, in addition to prohibiting users from directly opening files in the document library in a browser, Sharepoint 2010 also provides other enhancements to website security. For example, a contributor cannot directly upload a page file to the pages library. Instead, it can only create a page through the built-in "create page" function of the pages library. For example, by adding the "safeagainstscript" and "requiresdesignerpermission" attributes to the <savecontrol> node of Web. config, the system administrator can disable contributor from modifying the attributes of Web parts. Of course, these are another topic.