[whatwg] a rel=attachment from Glenn Maynard on 2011-07-18 (public-whatwg-archive@w3.org from July 2011)

From: Glenn Maynard <glenn@zewt.org>
Date: Mon, 18 Jul 2011 12:35:51 -0400
Message-ID: <CABirCh8iKBrrf+6bC21SYwizR-fgnVON4BGbz3QQK+X2=TResw@mail.gmail.com>

On Mon, Jul 18, 2011 at 11:58 AM, Alexey Proskuryakov <ap at webkit.org> wrote:
> A different scenario which I don't think has been discussed in this thread
is bypassing a hosting service security settings. Consider a highly
reputable hosting that doesn't let you upload executable files (or maybe
just scans those for malware if uploaded). With @download, one could bypass
that, and make users download or even run an .EXE file by following an
innocuous link to a well known domain. This kind of download could be same
origin or cross origin.

The service hosting the file--the target of the link--shouldn't convey
trust.  The page containing the download link is where trust should come
from, not the link target.

For example, if I have a link on my site to download Chrome, I'm not going
to link directly to the installer on google.com; I'll link to Google's
"Download Chrome" site.  The actual download link the user follows is not
only pointing to google.com, but is linked from there as well.  I expect
that most users will trust the download not because of where the download
link goes, but where it comes from.

If I link directly to the file to download, users should trust the file as
much as they trust *my* site, rather than Google itself, since the download
is, from their perspective, coming from me and not them.  Similarly, if a
site uses a mysterious CDN or an Amazon S3 link, that shouldn't affect
trust; if www.google.com/chrome puts the file itself on
mysteriousgooglecdn.com, it should be no less trusted than if it was from a
google.com subdomain.  That difference should be transparent to users.

(This is why it's okay that Firefox's open/save dialog shows the link target
in a minor, easily-ignored bit of text--it's not important information for
most users.  Chrome doesn't even show that.)

So, if a hosting service doesn't want to allow executable files, it won't
show files as executable from their own download pages, which is what should
matter as far as that site's trust is concerned.  People using this
mechanism to serve executable files from external links may be annoying, but
it shouldn't cause trust issues.

-- 
Glenn Maynard

Received on Monday, 18 July 2011 09:35:51 UTC