Add all mime type settings

apps/app/src/server/routes/apiv3/configurable-mime-types.ts

@@ -1,15 +1,42 @@
 export const CONFIGURABLE_MIME_TYPES_FOR_DISPOSITION = [
-  'image/png',
+  // Common Image Types
   'image/jpeg',
+  'image/png',
   'image/gif',
   'image/webp',
   'image/bmp',
+  'image/tiff',
   'image/x-icon',
+
+  // Document & Media Types
   'application/pdf',
+  'text/plain',
   'video/mp4',
+  'video/webm',
+  'video/ogg',
   'audio/mpeg',
-  'text/plain',
-  'text/html', // Likely default to false
-  'application/javascript', // Likely default to false
-  'image/svg+xml', // Likely default to false
+  'audio/ogg',
+  'audio/wav',
+
+  // Potentially Dangerous / Executable / Scriptable Types (defaulting to attachment for security)
+  'text/html',
+  'text/javascript',
+  'application/javascript',
+  'image/svg+xml',
+  'application/xml',
+  'application/json',
+  'application/x-sh', // Shell scripts
+  'application/x-msdownload', // Executables
+  'application/octet-stream', // Generic binary
+
+  // Other Common Document Formats (often better as attachment)
+  'application/msword',
+  'application/vnd.openxmlformats-officedocument.wordprocessingml.document', // .docx
+  'application/vnd.ms-excel',
+  'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', // .xlsx
+  'application/vnd.ms-powerpoint',
+  'application/vnd.openxmlformats-officedocument.presentationml.presentation', // .pptx
+  'application/zip',
+  'application/x-rar-compressed',
+  'text/csv',
 ];

apps/app/src/server/routes/apiv3/content-disposition-settings.js

@@ -15,8 +15,6 @@ const logger = loggerFactory('growi:routes:apiv3:markdown-setting');
 const express = require('express');
 
 const router = express.Router();
-const { body } = require('express-validator');
-
 
 module.exports = (crowi) => {
   const loginRequiredStrictly = require('../../middlewares/login-required')(crowi);
@@ -25,7 +23,7 @@ module.exports = (crowi) => {
   const activityEvent = crowi.event('activity');
 
 
-  router.get('/content-disposition', loginRequiredStrictly, adminRequired, async(req, res) => {
+  router.get('/content-disposition-settings', loginRequiredStrictly, adminRequired, async(req, res) => {
     const promises = CONFIGURABLE_MIME_TYPES_FOR_DISPOSITION.map(async(mimeType) => {
       const configKey = `attachments:contentDisposition:${mimeType}:inline`;
       try {

apps/app/src/server/routes/apiv3/index.js

@@ -36,6 +36,7 @@ module.exports = (crowi, app) => {
   // admin
   routerForAdmin.use('/admin-home', require('./admin-home')(crowi));
   routerForAdmin.use('/markdown-setting', require('./markdown-setting')(crowi));
+  routerForAdmin.use('/content-disposition-settings', require('./content-disposition-settings')(crowi));
   routerForAdmin.use('/app-settings', require('./app-settings')(crowi));
   routerForAdmin.use('/customize-setting', require('./customize-setting')(crowi));
   routerForAdmin.use('/notification-setting', require('./notification-setting')(crowi));

apps/app/src/server/service/config-manager/config-definition.ts

@@ -78,6 +78,45 @@ export const CONFIG_KEYS = [
   'app:openaiThreadDeletionCronMaxMinutesUntilRequest',
   'app:openaiVectorStoreFileDeletionCronMaxMinutesUntilRequest',
 
+  // Attachment Content-Disposition settings
+  // Image Types ---
+  'attachments:contentDisposition:image/jpeg:inline',
+  'attachments:contentDisposition:image/png:inline',
+  'attachments:contentDisposition:image/gif:inline',
+  'attachments:contentDisposition:image/webp:inline',
+  'attachments:contentDisposition:image/bmp:inline',
+  'attachments:contentDisposition:image/tiff:inline',
+  'attachments:contentDisposition:image/x-icon:inline',
+  // Document & Media Types ---
+  'attachments:contentDisposition:application/pdf:inline',
+  'attachments:contentDisposition:text/plain:inline',
+  'attachments:contentDisposition:video/mp4:inline',
+  'attachments:contentDisposition:video/webm:inline',
+  'attachments:contentDisposition:video/ogg:inline',
+  'attachments:contentDisposition:audio/mpeg:inline',
+  'attachments:contentDisposition:audio/ogg:inline',
+  'attachments:contentDisposition:audio/wav:inline',
+  // Potentially Dangerous / Executable / Scriptable Types ---
+  'attachments:contentDisposition:text/html:inline',
+  'attachments:contentDisposition:text/javascript:inline',
+  'attachments:contentDisposition:application/javascript:inline',
+  'attachments:contentDisposition:image/svg+xml:inline',
+  'attachments:contentDisposition:application/xml:inline',
+  'attachments:contentDisposition:application/json:inline',
+  'attachments:contentDisposition:application/x-sh:inline',
+  'attachments:contentDisposition:application/x-msdownload:inline',
+  'attachments:contentDisposition:application/octet-stream:inline',
+  // Other Common Document Formats ---
+  'attachments:contentDisposition:application/msword:inline',
+  'attachments:contentDisposition:application/vnd.openxmlformats-officedocument.wordprocessingml.document:inline',
+  'attachments:contentDisposition:application/vnd.ms-excel:inline',
+  'attachments:contentDisposition:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet:inline',
+  'attachments:contentDisposition:application/vnd.ms-powerpoint:inline',
+  'attachments:contentDisposition:application/vnd.openxmlformats-officedocument.presentationml.presentation:inline',
+  'attachments:contentDisposition:application/zip:inline',
+  'attachments:contentDisposition:application/x-rar-compressed:inline',
+  'attachments:contentDisposition:text/csv:inline',
+
   // Security Settings
   'security:wikiMode',
   'security:sessionMaxAge',
@@ -538,6 +577,140 @@ export const CONFIG_DEFINITIONS = {
     defaultValue: 30,
   }),
 
+  // Attachment Content-Disposition settings
+  'attachments:contentDisposition:image/jpeg:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_IMAGE_JPEG_INLINE',
+  }),
+  'attachments:contentDisposition:image/png:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_IMAGE_PNG_INLINE',
+  }),
+  'attachments:contentDisposition:image/gif:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_IMAGE_GIF_INLINE',
+  }),
+  'attachments:contentDisposition:image/webp:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_IMAGE_WEBP_INLINE',
+  }),
+  'attachments:contentDisposition:image/bmp:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_IMAGE_BMP_INLINE',
+  }),
+  'attachments:contentDisposition:image/tiff:inline': defineConfig<boolean>({
+    defaultValue: true, // TIFF is common for scans, often supported by browsers
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_IMAGE_TIFF_INLINE',
+  }),
+  'attachments:contentDisposition:image/x-icon:inline': defineConfig<boolean>({ // Favicons
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_IMAGE_X_ICON_INLINE',
+  }),
+  'attachments:contentDisposition:application/pdf:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_PDF_INLINE',
+  }),
+  'attachments:contentDisposition:text/plain:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_TEXT_PLAIN_INLINE',
+  }),
+  'attachments:contentDisposition:video/mp4:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_VIDEO_MP4_INLINE',
+  }),
+  'attachments:contentDisposition:video/webm:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_VIDEO_WEBM_INLINE',
+  }),
+  'attachments:contentDisposition:video/ogg:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_VIDEO_OGG_INLINE',
+  }),
+  'attachments:contentDisposition:audio/mpeg:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_AUDIO_MPEG_INLINE',
+  }),
+  'attachments:contentDisposition:audio/ogg:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_AUDIO_OGG_INLINE',
+  }),
+  'attachments:contentDisposition:audio/wav:inline': defineConfig<boolean>({
+    defaultValue: true,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_AUDIO_WAV_INLINE',
+  }),
+  'attachments:contentDisposition:text/html:inline': defineConfig<boolean>({
+    defaultValue: false, // HTML can contain scripts, always download
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_TEXT_HTML_INLINE',
+  }),
+  'attachments:contentDisposition:text/javascript:inline': defineConfig<boolean>({
+    defaultValue: false, // JS files should always download
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_TEXT_JAVASCRIPT_INLINE',
+  }),
+  'attachments:contentDisposition:application/javascript:inline': defineConfig<boolean>({
+    defaultValue: false, // JS files should always download
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_JAVASCRIPT_INLINE',
+  }),
+  'attachments:contentDisposition:image/svg+xml:inline': defineConfig<boolean>({
+    defaultValue: false, // SVG can contain embedded scripts and vulnerabilities, default to download. Consider a strong warning if setting to true.
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_IMAGE_SVG_XML_INLINE',
+  }),
+  'attachments:contentDisposition:application/xml:inline': defineConfig<boolean>({
+    defaultValue: false, // XML can have XSLT for scripts, default to download
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_XML_INLINE',
+  }),
+  'attachments:contentDisposition:application/json:inline': defineConfig<boolean>({
+    defaultValue: false, // Often contains sensitive data, better to download unless explicitly intended to display in browser's JSON viewer
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_JSON_INLINE',
+  }),
+  'attachments:contentDisposition:application/x-sh:inline': defineConfig<boolean>({ // Shell scripts
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_X_SH_INLINE',
+  }),
+  'attachments:contentDisposition:application/x-msdownload:inline': defineConfig<boolean>({ // Executables (.exe, .dll, etc.)
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_X_MSDOWNLOAD_INLINE',
+  }),
+  'attachments:contentDisposition:application/octet-stream:inline': defineConfig<boolean>({ // Generic binary data
+    defaultValue: false, // Often used for downloads anyway
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_OCTET_STREAM_INLINE',
+  }),
+  'attachments:contentDisposition:application/msword:inline': defineConfig<boolean>({ // .doc
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_MSWORD_INLINE',
+  }),
+  'attachments:contentDisposition:application/vnd.openxmlformats-officedocument.wordprocessingml.document:inline': defineConfig<boolean>({ // .docx
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_VND_WORDPROCESSINGML_DOCUMENT_INLINE',
+  }),
+  'attachments:contentDisposition:application/vnd.ms-excel:inline': defineConfig<boolean>({ // .xls
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_MS_EXCEL_INLINE',
+  }),
+  'attachments:contentDisposition:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet:inline': defineConfig<boolean>({ // .xlsx
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_VND_SPREADSHEETML_SHEET_INLINE',
+  }),
+  'attachments:contentDisposition:application/vnd.ms-powerpoint:inline': defineConfig<boolean>({ // .ppt
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_MS_POWERPOINT_INLINE',
+  }),
+  'attachments:contentDisposition:application/vnd.openxmlformats-officedocument.presentationml.presentation:inline': defineConfig<boolean>({ // .pptx
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_VND_PRESENTATIONML_PRESENTATION_INLINE',
+  }),
+  'attachments:contentDisposition:application/zip:inline': defineConfig<boolean>({
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_ZIP_INLINE',
+  }),
+  'attachments:contentDisposition:application/x-rar-compressed:inline': defineConfig<boolean>({
+    defaultValue: false,
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_APPLICATION_X_RAR_COMPRESSED_INLINE',
+  }),
+  'attachments:contentDisposition:text/csv:inline': defineConfig<boolean>({
+    defaultValue: false, // Best to download for CSV to avoid rendering issues
+    envVarName: 'ATTACHMENTS_CONTENT_DISPOSITION_TEXT_CSV_INLINE',
+  }),
+
   // Security Settings
   'security:wikiMode': defineConfig<string | undefined>({
     envVarName: 'FORCE_WIKI_MODE',