[Building Sakai] Experiences with enabling content.html.forcedownload?

[Kevin Pittman]

This past summer, we upgraded from Sakai 2.5 to 2.8, and chose to turn
off the content.html.forcedownload setting since we'd never had it in 2.5
and we didn't want to introduce such a notable change in functionality
without understanding it better.  We're now making plans for whether or
not to turn on that setting for our next semester, and I'd like to get
some input from the rest of the Sakai community if possible.

Are there any other schools that moved from an early version of Sakai
to 2.8 and chose not to enable the forcedownload setting on their 
instance?  If so, are you using some other technology to try to protect
against imbedded Javascript in uploaded HTML files?  If your school did
enable the setting, can you offer any insight into the problems it caused
at first and how you dealt with them?

Since the big issue with the direct opening of HTML files is the potential
for Javascript to run in the same context as Sakai, has anyone ever looked 
into a way of configuring Sakai CLE to behave like OAE, where content files 
are delivered over a different port?  I'm no expert on Tomcat and Java, so 
it may be completely infeasible, but I theorize that it might be possible 
with some creative Tomcat reconfiguration.

Thank you,
Kevin
Georgia Tech Sakai Application Administrator

-- 
Kevin Pittman                              kevin.pittman at oit.gatech.edu
-----------------------------------------------------------------------
Senior Systems Support Engineer        Office of Information Technology
Academic and Research Technologies      Georgia Institute of Technology