May 3, 2012

Setting Permissive Handling for a Specific File Type

I was performing some branding work at a client in order to allow them to easily duplicate their existing intranet site (a small set of static HTML pages) in SharePoint. We ran into a slight hiccup with getting a Flash video (.swf) from their home page to display properly in SharePoint via a Content Editor web part. When deployed to the _layouts directory, everything worked perfectly, but when we tried uploading it to the Site Assets library and referencing it there, the video wouldn't display on the page.


The reason for this is the way the SharePoint web application handles unknown file types. The "Browser File Handling" setting (Central Admin > Web Application > General Settings) determines whether additional security headers are added to files in order to force the client to download them. The default setting of "Strict" enforces this, while the alternative "Permissive" setting removes these headers, providing a better user experience by allowing files to display directly in the browser.


SharePoint 2010 - Browser File Handling




While updating this one setting easily solves the problem, it also allows anything uploaded by a user to automatically execute. And although I personally trust my colleagues not to upload malicious code, security folks typically don't. So rather than changing this setting for all files via the UI, a better approach is to change it for only the necessary file types. This can only be done using PowerShell.


The SPWebApplication type has two relevant properties. The BrowserFileHandling property corresponds to the UI values - it can be set to either Strict or Permissive (via the SPBrowserFileHandling enumeration), and if permissive, all file types will be allowed to execute in the browser. More important is the AllowedInlineDownloadedMimeTypes property, a  collection of strings representing the "permissible" MIME types. Even under strict browser file handling, the types in this collection will be allowed to run in the browser. So we just need to write  simple PowerShell script to add our desired MIME types to the collection.

$webAppUrl = read-host "Web Application URL"
$mimeType = read-host "MIME Type"
$webApp = Get-SPWebApplication $webAppUrl
If ($webApp.AllowedInlineDownloadedMimeTypes -notcontains $mimeType)
{
  Write-Host "Adding" $mimeType "MIME type..."
  $webApp.AllowedInlineDownloadedMimeTypes.Add($mimeType)
  $webApp.Update()
  Write-Host $mimeType "MIME type successfully added and saved."
} Else {
  Write-Host $mimeType "MIME type has already been added."
}

This script will prompt the user for the web application URL and MIME type value, then add it to the collection. In my case, I needed to add the "application/x-shockwave-flash" MIME type for Flash video files, but another very common use is to enable PDFs stored in document libraries to be viewed in the browser, as most users are accustomed to. The necessary MIME type in that case is "application/pdf".

No comments:

Post a Comment