- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sun, 01 May 2011 12:56:32 -0400
On 4/30/11 2:24 PM, Michal Zalewski wrote: > Note that somewhat counterintuitively, there would be some security > concerns with markup-level content disposition controls (or any JS > equivalent). For example, consider evil.com doing this: > > <a href='http://example.com/user_content/harmless_text_file.txt' > disposition='attachment; filename="Important_Security_Update.exe"'> At least in the case of Firefox for that particular case on Windows the filename will be sanitized... But yes, there are other situations where things could be more problematic. -Boris
Received on Sunday, 1 May 2011 09:56:32 UTC