I always thought Content-disposition was part of the protocol but...

It's not! From this site:

The Content-disposition MIME header

Relevant to both of the subsequent sections, there exists a Content-disposition header for the purpose of proposing client behaviour in regard to a particular resource. The header isn't officially part of the HTTP protocol, and RFC2616 warns that the use of this header has "very serious" security implications: for a long time it was customary for HTTP user agents to disregard any such header. However, the header has been increasingly implemented in client applications (such as MSIE and web browsers such as Mozilla and Netscape), and information providers might give consideration (I'm not saying which way their decision should fall!) to using it either in conjunction with techniques mentioned below, or instead. The use of a Content-disposition value such as attachment;filename=myfile.ext represents a proposal for the client to download the file, even if the client would normally display this content-type.

Technorati Tags: web, html

powered by performancing firefox