name	menu	route
IE No Open	HTTP Headers	/http_headers/ie_no_open

HTTP Header: IE No Open

The attack

This attack only affects old versions of Internet Explorer.

Some web applications will serve untrusted HTML for download. For example, you could allow users to upload and download HTML files.

By default, old versions of Internet Explorer will allow you to open those HTML files in the context of your site, which means that an untrusted HTML page could start doing bad things in the context of your pages. For more, see this MSDN blog post.

The header

The X-Download-Options header can be set to noopen. This will prevent old versions of Internet Explorer from allowing malicious HTML downloads to be executed in the context of your site.

The code

This middleware sets the X-Download-Options to prevent Internet Explorer from executing downloads in your site’s context.

const helmet = require('helmet')

// Sets "X-Download-Options: noopen".
app.use(helmet.ieNoOpen())

Refs:

Helmet | IE No Open
Microsoft | IE8 Security Part V: Comprehensive Protection

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ie_no_open.mdx

ie_no_open.mdx

HTTP Header: IE No Open

The attack

The header

The code

Refs:

Files

ie_no_open.mdx

Latest commit

History

ie_no_open.mdx

File metadata and controls

HTTP Header: IE No Open

The attack

The header

The code

Refs: