You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -39,7 +39,7 @@ When an endpoint sets the [`Content-Disposition: attachment`](https://developer.
Another way to test for the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header is to check if a navigation occurred. If a page load causes a download, it does not trigger a navigation and the window stays within the same origin. [Run demo](https://xsinator.com/testing.html#Download%20Detection)
The following snippet can be used to detect whether such a navigation has occurred and therefore detect a download attempt:
In the snippet below , we've added a sandboxed iframe with downloads disabled to prevent downloading modal from appearing.
```javascript
// Set the destination URL to test for the download attempt
Expand DownExpand Up
@@ -73,7 +73,7 @@ This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), be
### Download Navigation (without iframes)
A variation of the technique presented in the previous section can also be effectively tested using `window` objects, this also uses a sandboxed iframe to prevent a visible file download or prompt:
A variation of the technique presented in the previous section can also be effectively tested using `window` objects. In the snippet below, we've added a sandboxed iframe with disabled downloads to prevent downloading modal from appearing.
