“secure” PPTX and WAV files in portal behaving incorrectly
CONTEXT
I am building a portal that requires users to log in before viewing content. I've taken the following approach:
if logged in:
- the user is presented with a list of links to the content (index.php)
- the links are controlled by a simple jquery script (included in index.php) that uses the href to perform a GET request to the authorization page (auth.php)
- the auth page performs additional checks, sets headers and mime type and handles the file request accordingly
Where possible, the goal is to display the file in the browser.
Also, direct access to the content (files) is restricted by a simple htaccess file (shown here for completeness, but is designed to handle the condition where user is NOT logged in).
THE PROBLEM
When a logged-in user clicks on a link in index.php I am getting various behaviors. I share these results so that you can see that the code "works" in most cases and it is the exceptions about which I need help. The site currently has seven different content types and their:
Table of outcomes
CHROME FIREFOX
GROUP 1 - Non-Microsoft OK
pdf in browser - OK in browser - OK
images in browser - OK in browser - OK
mp4 in browser - OK in browser - OK
GROUP 2 - Microsoft OK
xlsx save as (explorer) - auth.xlsx view/save pop up - OK
docx save as (explorer) - auth.docx view/save pop up - OK
GROUP 3 - NOT WORKING AS EXPECTED
wav in browser - OK view/save pop up - auth
pptx save as (explorer) - auth.pptx view/save pop up - auth
As shown above, the application (i.e. code below) works fine for Groups 1 and 2 in Chrome and Firefox.
- Group 1 - everything happens in the browser as expected.
- Group 2 - Word and Excel files display the "view or save" dialog in Firefox and this dialog correctly shows the filename and default application. For Chrome, the "Save As" (Windows Explorer) box opens as expected (though it would be preferable if Chrome behaved as Firefox does). The default name to save is "auth" + the extension (eg xlsx or docx). This is not user friendly. Would prefer it be blank or a the original file name.
However, .pptx and .wav files do not behave as expected in Firefox. When the popup appears for these files, the displayed name in both cases is auth.php (and not the actual name of the file as happens when Excel or Word files are selected). PowerPoint is, however, correctly shown as the default app in the popup for .pptx files and the default app for .wav files is shown as TWINUI. In both cases, clicking "OK" in the popup opens the file in the correct application.
CODE
INDEX.PHP
<script src='../vendor/components/jquery/jquery.min.js'></script>
<script>
$( function() {
$('.link').on('click',function(e) {
e.preventDefault();
var doc = $(this).attr('href');
document.location = '/docs/'+doc;
});
});
</script>
<html>
<body>
<section>
<h2>List of links...</h2>
<br><a class="link" href="test.pdf">PDF document</a>
<br><a class="link" href="test.jpg">image</a>
<br><a class="link" href="test.pptx">powerpoint</a>
<br><a class="link" href="test.mp4">mp4</a>
<br><a class="link" href="test.docx">word document</a>
<br><a class="link" href="test.xlsx">Excel file</a>
<br><a class="link" href="test.wav">wave file</a>
</section>
</body>
</html>
AUTH.PHP
<?php
//code to check if logged in
//code to check if authorized to view file
//code to set content type
$c_type = '';
switch ($ext) {
case 'jpg':
case 'jpeg':
case 'jpe':
$c_type = 'Content-Type: image/jpeg';
break;
case 'png':
$c_type = 'Content-Type: image/png';
break;
case 'pdf':
$c_type = 'Content-Type: application/pdf';
break;
case 'pptx':
$c_type = 'Content-Type: application/vnd.openxmlformats-officedocument.presentationml.presentation';
break;
case 'xlsx':
$c_type = 'Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet';
break;
case 'docx':
$c_type = 'Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document';
break;
case 'mp4':
$c_type = 'Content-Type: video/mp4';
break;
case 'wav':
$c_type = 'Content-Type: audio/x-wav';
break;
default:
echo '<br> content-type not recognized';
exit();
break;
$pathtofile = {set to location of document}
//code to set headers
//set headers
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header($c_type);
header('Content-Length: '.filesize($pathtofile));
header("Cache-Control: no-store, no-cache, must-revalidate");
header('Cache-Control: max-age=0');
header("Pragma: no-cache");
//readfile
readfile($pathtofile);
exit();
?>
.htaccess
Options -Indexes +FollowSymLinks -MultiViews
RewriteEngine on
# If the requested filename ends in a prohibited direct access file extension...
RewriteCond %{REQUEST_FILENAME} .*\.(jpeg|jpg|png|pdf|pptx|ppt|mp4|doc|docx|xlsx|xls|wav) [NC]
# Then grab the requested URL from the current directory on and stuff in in the $1 variable (first () pair maps to $1)
# Append the $1 variable as part of the query string when processing auth.php
RewriteRule (.*) http://[ROOT]/auth?doc=$1 [NC,L]
QUESTIONS
Is there a way that I can get the popup in Firefox to appropriately display the name of the file (instead of auth.php) for pptx and wav files?
Is there a way to get Chrome to view MS Office files (pptx, excel and docx) in browser by default (like you can do with gmail attachments) and use the native download, print, enlarge, UI (like gmail attachments)?
If there's no way to modify the way Chrome handles the opening of a Microsoft file, then is there a way I can change the default filename to save to something other than "auth"?
-
05:30
-
04:00
-
00:00
-
10:30
-
9:10
-
07:40
Firebase Cloud Functions: PubSub, "res.on is not a function"
-
04:00
TypeError: Cannot read properties of undefined (reading 'createMessageComponentCollector')
-
9:20
-
7:40
- typescript: tsc is not recognized as an internal or external command, operable program or batch file 111570 visits
- search for elements in a list 111065 visits
- In Chrome 55, prevent showing Download button for HTML 5 video 98827 visits
- RxJS5 - error - TypeError: You provided an invalid object where a stream was expected 96332 visits
- Ionic 2 - how to make ion-button with icon and text on two lines? 92528 visits
- NetBeans IDE - ClassNotFoundException: net.ucanaccess.jdbc.UcanaccessDriver 62042 visits
- Adding methods to es6 child class 22376 visits
