Affects Version/s: 3.9.0 GA (4.5.0 GA Suite Release)
Fix Version/s: Backlog
Environment:Chrome 16 - 18
Browser:Google Chrome 10.x
Operating System/s:Mac OSX, Windows 7 (64-bit), Windows Server 2008 (32-bit), Windows Server 2008 R2 (64-bit)
When viewing a report and attempting to output it as PDF whose name contains commas, the following error is thrown Chrome 16 - 18:
"Error 349 (net::ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION): Multiple distinct Content-Disposition headers received. This is disallowed to protect against HTTP response splitting attacks."
The relevant response headers received are:
Date Wed, 09 May 2012 16:55:32 GMT
The spec specifically states:
content-disposition = "Content-Disposition" ":"
disposition-type *( ";" disposition-parm )
disposition-type = "attachment" | disp-extension-token
disposition-parm = filename-parm | disp-extension-parm
filename-parm = "filename" "=" quoted-string
disp-extension-token = token
disp-extension-parm = token "=" ( token | quoted-string )
Since the filename attribute of the Content-Disposition header is not a quoted string, Chrome parses it to be multiple dispositions and a violation of the spec. Chromium recently made a change attempting to enforce stricter adherence to the HTTP spec, but have since back-pedaled. This is an issue that may eventually be mitigated by that back-pedaling from Chromium developers, but Pentaho should still honor the nature of the spec in case the browser vendors come together and adhere to the spec in the future.
The version I tested this issue on is Pentaho 4.5.0 Community Edition (4.5.0-stable) downloaded from SourceForge on May 7th, 2011. The engine version is: 3.9.0-GA.15546
The Chromium bug can be found here: http://code.google.com/p/chromium/issues/detail?id=103618
The relevant spec can be found here: http://www.ietf.org/rfc/rfc2616.txt