0

So basically the href of the anchor tag is something like hxxtp://www.xxxx/xx.zip and the anchor tag text visible to user is something like xxxx.pdf ,when user clicks it Mozilla opens it as a .pdf but actually it is a .zip.

My doubt: Why is firefox opening it as a pdf when the url says it's a .zip ,does firefox read the header of the file and decide if its a pdf or a .zip ,is this not fooling a user into clicking a .zip, although he thinks that it's a pdf?

rebel87
  • 205
  • 4
  • 11

1 Answers1

1

There are three seperate things at play here:

  • The <a> text visible to the user (which can be anything and doesn't need to be a valid link)
  • The URL itself, inside the href attribute of the <a> tag
  • The actual content being served at that URL

Browsers do not use file extensions to determine the type of the content being served. Instead, they inspect the Content-Type header in the HTTP response that the server sends.

It is completely possible (albeit surprising) for an HTTP server to be configured in such a way that a .zip will be served with a PDF type (application/pdf), in which case the browser will try to open it as a PDF file (whether it succeeds in doing so depends on whether the contents of the file form an actual, valid PDF). Likewise, it is completely possible for a server to serve a .pdf file as a ZIP file (application/zip), in which case the browser will try to open it as a ZIP file. The extension of the file is irrelevant; it's the Content-Type that the server reports that counts.

Etienne Dechamps
  • 136
  • 2
  • Thanks for the answer , guessing what will happen when a .zip file will be served in the above case and browser opens the it as a .pdf ,imo garbage... – rebel87 Aug 13 '16 at 18:14
  • Of course it would be garbage but that wouldn't be the end of the world, even if it contained the worst virus as it wouldn't get executed. Note that there is also the MIME type which browsers can detect when content type is not specified. – Julie Pelletier Aug 14 '16 at 03:59