W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [FileAPI] Blob.URN?

From: Robin Berjon <robin@berjon.com>
Date: Wed, 31 Mar 2010 17:24:07 +0200
Cc: Web Applications Working Group WG <public-webapps@w3.org>, Eric Uhrhane <ericu@google.com>
Message-Id: <01954EFF-2013-4423-9856-B00E5492EBF7@berjon.com>
To: Tab Atkins Jr. <jackalmage@gmail.com>
On Mar 31, 2010, at 16:58 , Tab Atkins Jr. wrote:
> On Wed, Mar 31, 2010 at 1:55 AM, Robin Berjon <robin@berjon.com> wrote:
>> On Mar 31, 2010, at 01:56 , Darin Fisher wrote:
>>> The only way to get a FileWriter at the moment is from <input type="saveas">.  What is desired is a way to simulate the load of a resource with Content-Disposition: attachment that would trigger the browser's download manager.
>> 
>> I don't think that <input type=saveas> is a good solution for this, for one it falls back to a text input control, which is less than ideal. I think that the File Writer should trigger downloads on an API call since that doesn't introduce security issues that aren't already there. I'll make a proposal for that.
> 
> Better fallback could be achieved with <button type=saveas></button>.

Well, that gives you a button that does nothing. It's better in the same sense that if you want to get to the moon, a car is better than a kick scooter.

You can already redirect to malicious.exe. You can also already build malicious.zip directly in script and prompt for download (like http://jszip.stuartk.co.uk/ does). A saveAs() method that works through the download UI changes nothing security-wise, unless I'm missing something.

I'm going to flag the entry point issue in the draft, and DAP has decided to release a FPWD of it (because most of it is still very useful to look at separately from this issue).

-- 
Robin Berjon - http://berjon.com/
Received on Wednesday, 31 March 2010 15:24:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:37 GMT