W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2011

[whatwg] "Content-Disposition" property for <a> tags

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sat, 30 Apr 2011 11:54:16 -0700
Message-ID: <BANLkTinc+VcupK845HHqL_sqzsna-xTbhg@mail.gmail.com>
> Maybe a bit more contriving could come up with a more plausible example.

My concern is a bit more straightforward. To use a practical example:
just because a social networking site allows nearly arbitrary JPEG
files to be uploaded and served as profile pictures (Content-Type:
image/jpeg) does not mean that the applications wants users to be
offered that content as a download named Security_Update.exe,
supposedly coming from that trusted site.

(It is usually not difficult to construct documents that are both a
valid image and a valid executable.)

But yes, there are probably also potential interactions with
whitelisted domains, especially given that the whitelist-based
capabilities are expanding rapidly.

Received on Saturday, 30 April 2011 11:54:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:05 UTC