W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2011

[whatwg] "Content-Disposition" property for <a> tags

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sat, 30 Apr 2011 11:24:11 -0700
Message-ID: <BANLkTikNZuAZ03AggqXO_GL71Tgay8iH9g@mail.gmail.com>
Note that somewhat counterintuitively, there would be some security
concerns with markup-level content disposition controls (or any JS
equivalent). For example, consider evil.com doing this:

<a href='http://example.com/user_content/harmless_text_file.txt'
disposition='attachment; filename="Important_Security_Update.exe"'>

Downloading files in general is a very problematic area, because
there's a very fragile transition between HTTP MIME type and
filesystem extension or other OS-level content determination
mechanism. Many browsers either don't try to do anything useful to
prevent weird "promotions" from safe to unsafe document types; or
enforce decidedly imperfect logic. Allowing attackers to further
control this process has some risks.

[ This is further compounded by the fact that in many cases, it is
safer for users to open certain document types, HTML included, from
http: URLs than from file:. ]

/mz
Received on Saturday, 30 April 2011 11:24:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:03 GMT