Why is the CONTENT_DISPOSITION header considered unsafe?

Question

I’ve developed a REST endpoint that produces a zip file serialized to a byte array.

@GetMapping(path = "/export-zip", produces = MediaType.APPLICATION_JSON_VALUE)
    public ResponseEntity<byte[]> exportZipFile() throws IOException {
        try {
            MyZipObject zip = zipService.createZip();
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.add(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + zip.getFileName() + ".zip\"");
            return new ResponseEntity<>(zip.getData(), httpHeaders, HttpStatus.OK);
        } catch (Exception e) {
            return new ResponseEntity(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }

Using Postman, I can successfully get the response from this API and save it to a Zip file. However the React code that our front-end uses to call this API is producing an error

Refused to get unsafe header “Content-Disposition"

I’m unsure why the header is considered unsafe to begin with but I’d also like to know how I can render it a safe header.

Does this answer your question? [Cross Domain Resource Sharing GET: 'refused to get unsafe header "etag"' from Response](https://stackoverflow.com/questions/5822985/cross-domain-resource-sharing-get-refused-to-get-unsafe-header-etag-from-re) — Kevin Christopher Henry, Jul 22 '20 at 11:49

score 3 · Answer 1 · answered Jul 23 '20 at 09:50

That was a useful response, thanks. In the end, I was able to fix this by adding the following code to my controller

httpHeaders.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, HttpHeaders.CONTENT_DISPOSITION);
httpHeaders.add(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + fileName + ".zip\"");

Why is the CONTENT_DISPOSITION header considered unsafe?

1 Answers1