Text attachments should display in the browser, not forced downloaded

cracauer@

cracauer@

Developer
Text attachments should display in the browser, not forced downloaded.

Consider the first post here: https://forums.freebsd.org/threads/audinst-hud-mx1usb-dac-sound-volume-very-low.102321/

I want to see dmesg. As it is right now I have to download it, open it from HD and then clean up afterwards. It should just display the text in a browser tab. This is done via http header.

I know that XenForo does this by default and last I heard there was no option to turn this nonsense off. But maybe there us a way, or an update or something.
 
drsnx60 said:
using firefox to navigate to

file:///var/run/dmesg.boot

And opening it works for me and displays text in the firefox window.
Click to expand...
That works for files on the local system, but I believe cracauer@ is talking about text files that someone attaches to a post on the forum. The thread linked in the OP has 3 attachments, all text files. If you want to look at the contents, clicking on one causes a download, not just open in a new tab.
 
OK. I can configure the DOWNLOAD setting in firefox to "Always ask you where to save files"
this pops up a dialouge where I can view the file in an editor or I can select a browser to view the file in .
 
I have two scripts; one monitors the download of text files.
The other opens hx or vim to view the file.
Install pkg install entr
You can change the editor.
Sorry, the comments are in French.
15:32 %> cat watch-txt.sh
#!/bin/sh

DL="$HOME/Telechargement"
CACHE="/tmp/hx_last_opened_txt"

[ -d "$DL" ] || exit 1

# surveille le dossier lui-même
while true; do
printf '%s\n' "$DL" | entr -d sh -c '
DL="'"$DL"'"
CACHE="'"$CACHE"'"

FILE=$(find "$DL" -maxdepth 1 -type f -name "*.txt" -print 2>/dev/null \
| xargs ls -t 2>/dev/null | head -n 1)

[ -n "$FILE" ] || exit 0

MTIME=$(stat -f "%m" "$FILE" 2>/dev/null) || exit 0
NOW=$(date +%s)
AGE=$((NOW - MTIME))

# ignorer les vieux fichiers
[ "$AGE" -gt 5 ] && exit 0

LAST=""
[ -f "$CACHE" ] && LAST=$(cat "$CACHE" 2>/dev/null)

# éviter de rouvrir le même fichier
[ "$FILE" = "$LAST" ] && exit 0

echo "$FILE" > "$CACHE"

# laisser finir le renommage / flush Firefox
sleep 1

exec xfce4-terminal --hold -e "hx \"$FILE\""
'
done
Click to expand...

and
15:33 %> cat open-last-txt.sh
#!/bin/sh

DL="$HOME/Telechargement"

# dlast file downloaded
FILE=$(ls -t "$DL"/*.txt 2>/dev/null | head -n 1)

[ -z "$FILE" ] && exit 0

# open helix
exec hx "$FILE"
Click to expand...
my editor is hx
 
kent_dorfman766 said:
The web server should be identifying the content as text/plain so that the browser can display it. Instead they are either not assigning any mime type or a wrong one, so the browser falls back to binary download of content.
Click to expand...

No, that's not true. The web server sends the right mime type, but also another header forcing the download.
 
Using waterfox on windowmaker, it asks me to save the file, as the only option presented. However using waterfox on kde plasma, it gives me an option to either save the file or open it with an editor (kate), if I chose editor it opens the file in a separate window in the editor, and does not save it to the local drive (unless it's creating a temporary somewhere that it deletes automatically afterwards). So it appears that the desktop environment being used modifies the dialog that is presented when clicking on the link.
 
blackbird9 said:
Using waterfox on windowmaker, it asks me to save the file, as the only option presented. However using waterfox on kde plasma, it gives me an option to either save the file or open it with an editor (kate), if I chose editor it opens the file in a separate window in the editor, and does not save it to the local drive (unless it's creating a temporary somewhere that it deletes automatically afterwards). So it appears that the desktop environment being used modifies the diaglog that is presented when clicking on the link.
Click to expand...

If it's in the editor it is on a filesystem. You can find out where by trying to save the buffer after a modification.
 
cracauer@ said:
No, that's not true. The web server sends the right mime type, but also another header forcing the download.
Click to expand...
I can not confirm that.​
Bash: 
curl -so dmesg.txt --dump-header - https://forums.freebsd.org/attachments/dmesg-txt.25923/
shows​
HTTP: 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Apr 2026 13:45:55 GMT
Content-Type: application/octet-stream
Content-Length: 2706
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Last-Modified: Mon, 13 Apr 2026 13:45:55 GMT
Content-Disposition: attachment; filename="dmesg.txt"
ETag: "1775934141"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
RFC 2616 explains that if a Content‑Disposition
[…] is used in a response with the application/octet-stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a ‘save response as …’ dialog.
Click to expand...
Therefore to fix the problem is to properly detect and send text/plain as the Content‑Type. I just verified that file --mime dmesg.txt can do it. There are apparently no strange characters confusing recognition algorithms.​
 
drsnx60 said:
OK. I can configure the DOWNLOAD setting in firefox to "Always ask you where to save files"
this pops up a dialouge where I can view the file in an editor or I can select a browser to view the file in .
Click to expand...
That's several mouseclicks. The OP wants it to be just ONE.
[EDIT] In KDE (konqueror) it's right mouse button -> preview in... -> embedded enhanced text editor
 
Kai Burghardt said:
I can not confirm that.​
Bash: 
curl -so dmesg.txt --dump-header - https://forums.freebsd.org/attachments/dmesg-txt.25923/
shows​
HTTP: 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Apr 2026 13:45:55 GMT
Content-Type: application/octet-stream
Content-Length: 2706
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Last-Modified: Mon, 13 Apr 2026 13:45:55 GMT
Content-Disposition: attachment; filename="dmesg.txt"
ETag: "1775934141"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
RFC 2616 explains that if a Content‑Disposition
Therefore to fix the problem is to properly detect and send text/plain as the Content‑Type. I just verified that file --mime dmesg.txt can do it. There are apparently no strange characters confusing recognition algorithms.​
Click to expand...
this investigation is correct, however attachments are being handled by XenForo and it is XenForo which sets the Mime-type (Content-Type header); unfortunately it sets incorrect mime type (application/octet-stream instead of text/plain) in this case. It only handles image attachments correctly, all other attachments are sent as application/octet-stream. This is something that would require a fix upstream or an addon (which we do not prefer).
 
As a workaround for Firefox there is this extension (don't know for Chromium): https://addons.mozilla.org/en-US/firefox/addon/open-in-browser/.
Schermata_20260413_211341.png
 
I don't agree. I think they should be automatically zipped and sent to your most current email address unless you live in California. If you live in California, they should be printed and manually faxed to you.

Also, I think there should be a PinkFreeBSD theme. Why is there a BlueFreeBSD theme, but not a PinkFreeBSD theme?

Why?!?!

Why?!?!
 
cracauer@ said:
I know XenForo doesn't support it. I'd say hack up the PHP code. Just send content type text instad of octeats. Easy peasy.
Click to expand...
To say XenForo has made this non-trivial (not to say extremely convoluted) is an understatement. That is the reason why the existing add-on for XF1 was never ported over to XF2, and why XF developers keep holding off on offering the option. Don't expect a Q & D solution from volunteer staff here. Sorry.
 
Kai Burghardt is correct. Forcing a download is as simple as forgetting a content type header.

I'm a self-taught PHP coder and i've followed this thread. I agree that forced downloads of a plain text file is quite annoying. I'd also like to open a text file in a new window/tab. I do not have the source code to this forum, so it is a dificult shot to make. However, i have formulated a theory based upon examination of how the site is working from the client side perspective. I have seen the source code to phpbb, smf and two commercial packages (helping friends with code). Most of these forums are garbage PHP.

Not to get off track but may i vent for a moment? please? i've been banned from a few PHP forums in my early study days for the following reason: i got tired of being bullied and insulted and i stood up for myself and laid bare the truth: the bullies always refer to the weaving in-and-out of html and php as "spaghetti code". These php bullies will lecture newbies and slam down the mvc law and demand that PHP coders use symfony or laravel and class files for everything. Yet, if you examine their code closely, then you will see spaghetti code made from classes that is more spaghetti than an Italian guy with sauce in his mustache. id est, function that calls a function that calls a function that uses a built-in function to output text to the screen. You know, instead of using the caveman method of simply typing echo.

you will most likely know what i mean if you are an admin/moderator of this forum code and you have tried to track down attachment code. see what i mean? garbage PHP.

The actual attachment code is most likely broken up into several files in several places but i bet that you have an app file somewhere in the XF folder. My guess is to look for a folder named XF containing a file named App.php So probably forum_directory/src/XF/App.php

scroll though the App.php file looking for an array like the following that i found via online search:
Code: 
$container['inlineImageTypes'] = function (Container $c) {
  return [
      'gif' => 'image/gif',
      'jpg' => 'image/jpeg'
];

the associative array appears to hold header content-type data. You could add the following key/value pair to see if it changes from forced download to display (do not forget to use a comma after the last key/value pair so that the text handler can be added as the last key/value pair):

Code: 
'txt' => 'text/plain'
];

it is probably how the display is working anyway. Despite the fact that none of the key/value pairs are really being validated. Also, this 'patch' should work but then imaging a code-injection vulnerability... good lord! :)
 
I suspect that not opening attachments in the browser is a security measure. The OS is much less likely to do crazy things just by storing a file, and the stored file enters the domain of your OS's security, which tends to be more reliable than that of your browser (or, at least, it falls outside XenForo's responsibility).
 
That might actually be closer to the truth. Even on kde, it opens it in an editor, not a browser window, so if something goes wrong, it's the editor to blame. So perhaps it's by design.
Although... firefox also opens pdf's in it's own window, and pdfs are well known for hosting exploits. So who knows.

It's hard to know what the best thing to do is when adding things like debug trace to a post. If you paste it inline, it can be huge. If you attach it, people may be forced to download it. I don't know what the answer is.
 
You must log in or register to reply here.
Back
Top