PDF Security in SharePoint 2010
Here’s a handy nugget of information I picked up at NZSPC2011.
Out of the box, SP2010 will force you to save PDFs from SharePoint, not open them. This is to prevent XSS which is pretty easy to do in PDFs. Good solid security principal that one – I like it.
For most users however, this comes as a jarring change to what they’re used to, so queue complaints from users, and an SP Admin looking for a quick fix. Google will quickly point you at hundreds of suggestions to change the Browser File Handling setting from Strict to Permissive (set per web-application, under General Settings).
This is a purely evil approach, as it immediately relaxes file handling security for ALL file types, not just PDF.
The better way of doing this, is setting an ‘Inline Download’ exclusion just for PDF files. There’s a good post at pdfsharepoint.com by Dmitry that covers this in detail, but here’s the important bit..
Via PowerShell, run the following script to create a MIME type exclusion for PDF files in your web application. The only value you need to change here is the http://webapp.domain bit – set it to your web application hostname.
$webApp = Get-SPWebApplication http://webapp.domain If ($webApp.AllowedInlineDownloadedMimeTypes -notcontains "application/pdf") { Write-Host -ForegroundColor White "Adding Pdf MIME Type..." $webApp.AllowedInlineDownloadedMimeTypes.Add("application/pdf") $webApp.Update() Write-Host -ForegroundColor White "Added and saved." } Else { Write-Host -ForegroundColor White "Pdf MIME type is already added." }
3 Responses
jbooker says:
You can work around the Strict Browser File Handling by embeding the pdf in the page like this:
http://joshuabooker.com/Documents/pdf.aspx?file=browserfilehandling.pdf
The above is a PDF file in the browser from my Office365 site even though browser file handling is set to strict.
HTH,
Josh
July 29, 2011 at 2:57 am
JB says:
Interesting workaround Josh.
I do wonder how responsible (security-wise) it is to use javascript to work around an intentional security protection method though.
In an on-premise situation you”d be better off sticking with the Inline Download Exclusion method, but in O365 you don”t have that option yet, so your workaround would indeed be useful.
Rgds
JB
July 29, 2011 at 7:20 am
jbooker says:
Julian,
I agree about security. As you point out, adding inline MIME types is preferred. That said, I do wonder how responsible it its (usability-wise) for MS not to have provided a secure viwer for O365.
I did this in response to the overwelming user demand and underwhelming MS response for a solution to open PDFs in the browser in O365. In my opinion, MS should have provided a secure viewer before now. Especially because they have a silverlight XPSPDF viewer already on docs.com.
I know some may feel differently, but to me, usability trumps the risk when it comes to pdfs in the browser.
Plus I will add for those who feel safe with the Browser File Handling set to strict, the fact that you can by-pass the ”noopen” header like this proves it”s really not so strict.
Thanks for looking,
Josh
July 30, 2011 at 12:48 am