W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2011

[whatwg] "Content-Disposition" property for <a> tags

From: Glenn Maynard <glenn@zewt.org>
Date: Sat, 30 Apr 2011 15:07:45 -0400
Message-ID: <BANLkTimAvpFRyTYkESnsXPvRFe4wzujyNw@mail.gmail.com>
On Sat, Apr 30, 2011 at 2:54 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> My concern is a bit more straightforward. To use a practical example:
> just because a social networking site allows nearly arbitrary JPEG
> files to be uploaded and served as profile pictures (Content-Type:
> image/jpeg) does not mean that the applications wants users to be
> offered that content as a download named Security_Update.exe,
> supposedly coming from that trusted site.

So, it's not so much the security issue (the browser's job), but an
appearance-of-fault issue: the site not wanting to be blamed if the
browser fails at that job.

> But yes, there are probably also potential interactions with
> whitelisted domains, especially given that the whitelist-based
> capabilities are expanding rapidly.

That suggests that this should be added sooner rather than later, so
the concept of filenames for files on trusted domains being set by
untrusted domains is considered in the design of these capabilities,
rather than being bolted on later.

Glenn Maynard
Received on Saturday, 30 April 2011 12:07:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:05 UTC