diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestResponseBodyMethodProcessorTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestResponseBodyMethodProcessorTests.java index af0639fe70..32ddb8bdd9 100644 --- a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestResponseBodyMethodProcessorTests.java +++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestResponseBodyMethodProcessorTests.java @@ -644,7 +644,7 @@ public class RequestResponseBodyMethodProcessorTests { String header = servletResponse.getHeader("Content-Disposition"); if (expectContentDisposition) { assertEquals("Expected 'Content-Disposition' header. Use case: '" + comment + "'", - "attachment;filename=f.txt", header); + "inline;filename=f.txt", header); } else { assertNull("Did not expect 'Content-Disposition' header. Use case: '" + comment + "'", header); diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/ServletAnnotationControllerHandlerMethodTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/ServletAnnotationControllerHandlerMethodTests.java index 28bde6976a..6635463875 100644 --- a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/ServletAnnotationControllerHandlerMethodTests.java +++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/ServletAnnotationControllerHandlerMethodTests.java @@ -1655,7 +1655,7 @@ public class ServletAnnotationControllerHandlerMethodTests extends AbstractServl assertEquals(200, response.getStatus()); assertEquals("text/html", response.getContentType()); - assertEquals("attachment;filename=f.txt", response.getHeader("Content-Disposition")); + assertEquals("inline;filename=f.txt", response.getHeader("Content-Disposition")); assertArrayEquals(content, response.getContentAsByteArray()); } diff --git a/src/asciidoc/web-mvc.adoc b/src/asciidoc/web-mvc.adoc index 0f923ebf28..5642a80761 100644 --- a/src/asciidoc/web-mvc.adoc +++ b/src/asciidoc/web-mvc.adoc @@ -884,7 +884,7 @@ nor disabling the use of path extensions for content negotiation purposes alone are effective at preventing RFD attacks. For comprehensive protection against RFD, prior to rendering the response body -Spring MVC adds a `Content-Disposition:attachment;filename=f.txt` header to +Spring MVC adds a `Content-Disposition:inline;filename=f.txt` header to suggest a fixed and safe download file filename. This is done only if the URL path contains a file extension that is neither whitelisted nor explicitly registered for content negotiation purposes. However it may potentially have