“For web applications that need to serve untrusted HTML files, we have introduced a mechanism to help prevent the untrusted content from compromising your site’s security. When the new X-Download-Options header is present with the value noopen, the user is prevented from opening a file download directly; instead, they must first save the file locally. When the locally saved file is later opened, it no longer executes in the security context of your site, helping to prevent script injection.”
Go to Central Administration > Manage Web Applications > [Highlight a web application] > click General Settings in the Ribbon > Scroll down in the General Settings window to see Browser File Handling. Set as desired. Save settings.
Get-SPWebApplication "http://yourwebapplicationurl" | Foreach-Object {$_.AllowedInlineDownloadedMimeTypes}
$webApplication = Get-SPWebApplication "http://yourwebapplicationurl" $webApplication.AllowedInlineDownloadedMimeTypes
$webApplication = Get-SPWebApplication "http:/yourwebapplicationurl" $webApplication.AllowedInlineDownloadedMimeTypes.Add("application/pdf") $webApplication.Update()
$mimeType = "application/pdf" Get-SPWebApplication | foreach-object { # If the MIME Type is not already on the allowed list for the Web Application if(!$_.AllowedInlineDownloadedMimeTypes.Contains($mimeType)) { # Add the MIME type to the allowed list and update the Web Application $_.AllowedInlineDownloadedMimeTypes.Add($mimeType) $_.Update() Write-Host Added $mimeType to the allowed list for Web Application $_.Name } else { # The MIME type was already allowed - can't add. Inform user Write-Host Skipped Web Application $_.Name - $mimeType was already allowed } }
$webApplication = Get-SPWebApplication "http:/yourwebapplicationurl" $webApplication.AllowedInlineDownloadedMimeTypes.Remove("application/pdf") $webApplication.Update()
$mimeType = "application/pdf" Get-SPWebApplication | foreach-object { # If the MIME Type is not already on the allowed list for the Web Application if($_.AllowedInlineDownloadedMimeTypes.Contains($mimeType)) { # Remove the MIME type from the allowed list and update the Web Application $_.AllowedInlineDownloadedMimeTypes.Remove($mimeType) | Out-Null $_.Update() Write-Host Removed $mimeType from the allowed list of Web Application $_.Name } else { # The MIME type was not on the list - can't remove. Inform user Write-Host Skipped Web Application $_.Name - $mimeType was not on the allowed list } }