- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Thu, 16 Jan 2014 11:28:31 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The spec currently says that integrity checks are performed both if the "download" attribute is used, and if a download is triggered by Content-Disposition. However, the latter would not be meaningful: if the destination site goes rogue, it could initially return a minimalistic HTML document that is not served with Content-Disposition: attachment, but then performs an instant <meta> or JS redirect to an evil binary. In this case, the integrity attribute will be ignored and the navigation to the evil HTML document will take place, with a download commencing immediately thereafter; and the end result would be practically indistinguishable from a successful integrity check. I think the only way to make integrity work on <a> is to require the download attribute. Further, because incorrect uses would be otherwise hard to spot, I would suggest specifying that <a integrity=...> with no 'download' specified should fail unconditionally. /mz
Received on Thursday, 16 January 2014 19:29:20 UTC