PDF Security in SharePoint 2010

Apr06
2011 3 Comments Written by JB

Here’s a handy nugget of information I picked up at NZSPC2011.

Out of the box, SP2010 will force you to save PDFs from SharePoint, not open them. This is to prevent XSS which is pretty easy to do in PDFs. Good solid security principal that one – I like it.

For most users however, this comes as a jarring change to what they’re used to, so queue complaints from users, and an SP Admin looking for a quick fix. Google will quickly point you at hundreds of suggestions to change the Browser File Handling setting from Strict to Permissive (set per web-application, under General Settings).

This is a purely evil approach, as it immediately relaxes file handling security for ALL file types, not just PDF.

The better way of doing this, is setting an ‘Inline Download’ exclusion just for PDF files. There’s a good post at pdfsharepoint.com by Dmitry that covers this in detail, but here’s the important bit..

Via PowerShell, run the following script to create a MIME type exclusion for PDF files in your web application. The only value you need to change here is the http://webapp.domain bit – set it to your web application hostname.

$webApp = Get-SPWebApplication http://webapp.domain
 If ($webApp.AllowedInlineDownloadedMimeTypes -notcontains "application/pdf")
 {
   Write-Host -ForegroundColor White "Adding Pdf MIME Type..."
   $webApp.AllowedInlineDownloadedMimeTypes.Add("application/pdf")
   $webApp.Update()
   Write-Host -ForegroundColor White "Added and saved."
 } Else {
   Write-Host -ForegroundColor White "Pdf MIME type is already added."
 }

 

Posted in 2010 - Tagged , ,
«
»

3 Comments
  1. jbooker's Gravatar jbooker
    July 29, 2011 at 2:57 am | Permalink

    You can work around the Strict Browser File Handling by embeding the pdf in the page like this:

    http://joshuabooker.com/Documents/pdf.aspx?file=browserfilehandling.pdf

    The above is a PDF file in the browser from my Office365 site even though browser file handling is set to strict.

    HTH,
    Josh

    Reply
    • Julian's Gravatar Julian
      July 29, 2011 at 7:20 am | Permalink

      Interesting workaround Josh.
      I do wonder how responsible (security-wise) it is to use javascript to work around an intentional security protection method though.
      In an on-premise situation you”d be better off sticking with the Inline Download Exclusion method, but in O365 you don”t have that option yet, so your workaround would indeed be useful.

      Rgds
      JB

      Reply
  2. jbooker's Gravatar jbooker
    July 30, 2011 at 12:48 am | Permalink

    Julian,

    I agree about security. As you point out, adding inline MIME types is preferred. That said, I do wonder how responsible it its (usability-wise) for MS not to have provided a secure viwer for O365.

    I did this in response to the overwelming user demand and underwhelming MS response for a solution to open PDFs in the browser in O365. In my opinion, MS should have provided a secure viewer before now. Especially because they have a silverlight XPSPDF viewer already on docs.com.

    I know some may feel differently, but to me, usability trumps the risk when it comes to pdfs in the browser.
    Plus I will add for those who feel safe with the Browser File Handling set to strict, the fact that you can by-pass the ”noopen” header like this proves it”s really not so strict.

    Thanks for looking,
    Josh

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

DISCLAIMER

All opinions are my own, and do not respresent the opinions of my current or any previous employer.

Credit is given where it is due, so I'd expect you to do the same.