Enabling a whitelist of acceptable file types

To prevent direct opening of attachments that may contain harmful content, a content-disposition header has been added that instructs the browser to save the file attachment rather than opening it directly.

About this task

The downside of this is that attachments of known file types (jpg, pdf, and so on) that would have opened now requires additional steps for the customer. A whitelist mechanism has been implemented using two notes.ini file variables to allow customers to specify file types that should not be prevented from downloading.
Note: Use this option with caution. Adding file types to the whitelist allows the browser to load those types using its default handling, which could enable third-party active content run in the browser to gain access to session information and data from the mail server. Be certain that the file types that are added are known to be safe.
  • iNotes_WA_Sec_AttachCDHeader
    • If set to 0, turns off the header setting.
    • If set to 1 (default), sets the header for all file types except those in the whitelist, plus (if the user-agent indicates Mobile and Safari) .bmp, .gif, .jpg, and text, plus (if the user-agent indicates Mobile and Safari and Android) the extensions already listed, plus .csv, .doc, .pdf, .ppt, and .xls.
    • If set to 2, sets the header for all file types except those in the whitelist. This allows device browsers to open the default file types in cases where either the notes.ini value is set to 1, or is not set at all. In this case, both the default four file types and those entered in the notes.ini file are used.
  • iNotes_WA_Sec_AttachCDWhiteList Specifies a comma-delimited list of attachment types to allow opening directly, for example, iNotes_WA_Sec_AttachCDWhiteList=jpg,pdf,gif