Risks of using Permissive vs. Strict for Browser File Handling
https://sharepoint.stackexchange.com//questions/30984
-
07-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
We have some web sites in our SharePoint 2010 site collection that need to display SWF files (to play FLV videos). For SharePoint to render the videos, we go to the web application in Central Admin > General Settings > Browser File Handling, and change it to Permissive. This entire SharePoint server is internal (for the intranet).
Is this a safe thing to do? Or should we convert the videos to WMV and not go with Flash? Thank you.
Soluzione
I think there's no risk in the intranet scenario. The main risk is the ability to add custom javascript code to the page that will execute while other users view that page - it can interact with SharePoint client object model, client browser etc. But in the such a controlled scenario as intranet site it may be acceptable.
Altri suggerimenti
The primary risk is that risky file types, such as PDF, would be automatically opened by the client in the program that handles the file type. With PDF and Adobe Reader/Pro, this could lead to an infection, as an example -- regardless if the situation is Intranet-only or Internet-facing.
It is generally better to add individual exceptions than to go all-out Permissive mode.
Unfortunately there's no way to add exceptions through the UI, but you can do it through powershell easily.
$app = Get-SPWebApplication "http://your.application"
$app.AllowedInlineDownloadedMimeTypes.Add("application/x-shockwave-flash")
$app.Update()
