Description
Rossen Stoyanchev opened SPR-13629 and commented
The fix to protect against RFD exploits (#18124) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.
By default ".html" is not whitelisted since a controller method returning String can be rendered as any requested content type (since StringHttpMessageConverter accepts "*/*") and in the case of HTML that can lead to XSS and RFD attacks.
However as commented under Spring Boot #4220 we should consider ways to make it straight-forward to render HTML via @ResponseBody when that is the actual intent.
spring-projects/spring-boot#4220 (comment)
Affects: 3.2.15, 4.1.8, 4.2.2
Issue Links:
- Behavior change to Content-Disposition on @RequestMapping endpoint [SPR-13645] #18222 Behavior change to Content-Disposition on
@RequestMappingendpoint ("is duplicated by") - Protect against RFD exploits [SPR-13548] #18124 Protect against RFD exploits
- Content-Disposition header causes download in browser for Spring Boot Actuator endpoints [SPR-13587] #18164 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints
Referenced from: commits f2e4da3, 237439e, d500d52, e190f26, 6a9329c, bdb71e9