Today, most browsers are designed to handle the known mime types in a very user-friendly manner. For example, if a server program writes an image/jpeg as a mime type, the browser will open the registered image viewer to display the contents. This would be true for any registered mime type on the client machine.
While this feature provides an easier user interface, it also poses a severe security threat for Web applications. The mime type’s contents could include viruses, session hijackers, or cookie spyware programs.
To solve this security problem, you can force the browser to display a “Save As/Open from current location” dialogue box when it wants to write known binary content to the client.
The official approach for this is to use a http header to request the display of user permission dialog box. This header is known as “Content-Disposition.”
Following is the sample for Java-based applications, though almost all http libraries provide an API to set an http header.
HttpResponse.setHeader("Content-Disposition "," attachment; filename= tip.jpeg");