How can I force a browser to NOT download a file with content-disposition:attachment header

Question

For example:

<iframe src="http://otherdomainidontcontrol.com/blah.csv"></iframe>

And blah.csv has this header:

Content-Disposition: attachment; filename=blah.csv;

Is it possible to force blah.csv to render in the iframe instead of downloading?

Answer 1

We've actually been looking into this for our application, since we want the browser to render the file embedded if it is capable of doing so - and if not capable, we want the browser to download the file under an appropriate name.

If you change the Content-Disposition header to be inline instead of attachment, it works in that manner - the browser will render the file if it is able to do so, and if not, the file will be downloaded as whatever you specify in the filename portion of the Content-Disposition header

response.headers['Content-Disposition'] = "inline; filename=name.extension"

However, if as you have said, your blah.csv comes back with that header and you can't intercept it or change that, then I would agree there is no way around it. The "attachment" part specifies that the file be downloaded.

Answer 2

I don't think there is a way to bypass Content-Disposition (and this is likely to be good for security reasons).