[Building Sakai] Experiences with enabling content.html.forcedownload?
Kevin Pittman
kevin.pittman at oit.gatech.edu
Mon Oct 29 08:46:08 PDT 2012
This past summer, we upgraded from Sakai 2.5 to 2.8, and chose to turn
off the content.html.forcedownload setting since we'd never had it in 2.5
and we didn't want to introduce such a notable change in functionality
without understanding it better. We're now making plans for whether or
not to turn on that setting for our next semester, and I'd like to get
some input from the rest of the Sakai community if possible.
Are there any other schools that moved from an early version of Sakai
to 2.8 and chose not to enable the forcedownload setting on their
instance? If so, are you using some other technology to try to protect
against imbedded Javascript in uploaded HTML files? If your school did
enable the setting, can you offer any insight into the problems it caused
at first and how you dealt with them?
Since the big issue with the direct opening of HTML files is the potential
for Javascript to run in the same context as Sakai, has anyone ever looked
into a way of configuring Sakai CLE to behave like OAE, where content files
are delivered over a different port? I'm no expert on Tomcat and Java, so
it may be completely infeasible, but I theorize that it might be possible
with some creative Tomcat reconfiguration.
Thank you,
Kevin
Georgia Tech Sakai Application Administrator
--
Kevin Pittman kevin.pittman at oit.gatech.edu
-----------------------------------------------------------------------
Senior Systems Support Engineer Office of Information Technology
Academic and Research Technologies Georgia Institute of Technology
More information about the sakai-dev
mailing list