Change comment:
Provide information about download/inline display
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Author
-
... ... @@ -1,1 +1,1 @@ 1 -XWiki. ThomasMortagne1 +XWiki.surli - Content
-
... ... @@ -102,3 +102,45 @@ 102 102 {{info}} 103 103 When using this attachment store with a MySQL database, you must set the ##max_allowed_packet## to about 3 times the size of your largest attachment since the attachment and its version history must be saved. See the [[MySQL Installation guide>>Documentation.AdminGuide.InstallationMySQL]] for more information. 104 104 {{/info}} 105 + 106 += Attachment display or download = 107 + 108 +When possible (see [[Security section>>||anchor="HSecurity"]] below) attachments are displayed directly in the browser when accessed. 109 +It is possible for developers to force-downloading an attachment by adding the parameter ##?force-download=1## in the attachment URL. 110 + 111 +{{version since="12.10RC1"}}it's possible to use a dedicated property in ##xwiki.properties## to always force some attachment mime-types to be downloaded: 112 + 113 +{{code language="none"}} 114 +#-# [Since 12.10RC1] 115 +#-# Define the kind of attachment that you always want to be downloaded and never displayed inline. 116 +#-# By default this list is empty, but you can specify a list of mime-types (coma separated list of values) which 117 +#-# should be always downloaded no matter who attached them or what is the whitelist/blacklist configuration. 118 +#-# 119 +#-# The distinction with the blacklist configuration above is that the blacklist won't affect file attached by a user 120 +#-# with programming rights, while this configuration affect any attachment. 121 +# attachment.download.forceDownload= 122 +{{/code}} 123 +{{/version}} 124 + 125 += Security = 126 + 127 +In order to prevent attacks by using attachments, it's possible to control which attachments' can be directly opened on the browser based on their mimetypes. 128 +Two properties in ##xwiki.properties## allow to control that independently: 129 + 130 +{{code language="none"}} 131 +#-# [Since 5.2M2] 132 +#-# Define the kind of attachment that can be displayed inline. You can either choose to do it through a whitelist 133 +#-# (only the mimetypes defined in this list would be displayed inline) or a blacklist (every mimetype that is not in 134 +#-# this list would be displayed inline if possible). 135 +#-# Note that only one configuration is used between the whitelist and the blacklist, and the whitelist always have 136 +#-# the priority over the blacklist. Also note that these configurations exist for security reason so they are only 137 +#-# impacting attachments added by users who do not have programming rights. 138 +#-# If you want to force downloading some attachments types please check the configuration below. 139 +#-# 140 +#-# By default we use the following whitelist (coma separated list of values). 141 +# attachment.download.whitelist=audio/basic,audio/L24,audio/mp4,audio/mpeg,audio/ogg,audio/vorbis,audio/vnd.rn-realaudio,audio/vnd.wave,audio/webm,image/gif,image/jpeg,image/pjpeg,image/png,image/svg+xml,image/tiff,text/csv,text/plain,text/xml,text/rtf,video/mpeg,video/ogg,video/quicktime,video/webm,video/x-matroska,video/x-ms-wmv,video/x-flv 142 +#-# 143 +#-# If you prefer to use a blacklist instead, you can define the forbidden types here, as a coma separated list of 144 +#-# values. We advise you to forbid at least the following mimetypes : text/html, text/javascript 145 +# attachment.download.blacklist=text/html,text/javascript 146 +{{/code}}
