W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Priority between <a download> and content-disposition

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Mon, 18 Mar 2013 07:30:23 -0700
Message-ID: <CALx_OUC5EVqYXJO-XNh-56W5KELp-SgOH4hpaOTOaq=kX_bBVw@mail.gmail.com>
To: Glenn Maynard <glenn@zewt.org>
Cc: WHAT Working Group <whatwg@whatwg.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Jonas Sicking <jonas@sicking.cc>
I think I raised this on several other threads; in essence, countless
websites permit users to upload constrained file formats, such as
JPEGs or GIFs used as profile images. With content sniffing attacks,
we've already seen that it's relatively trivial for attacker to make
files that are both valid images, and also pretend to be some other,
more dangerous file format.

Because many browsers prominently display the origin of a download and
it's the only security indicators users really have, I think it's
harmful to permit something like:

<a href='http://www.facebook.com/.../user_profile_image.jpg'
download='important_facebook_update.exe'>

In fact, given the security problems it creates and the fact that they
will be difficult to fully mitigate without establishing some sort of
a new 'opt-out' mechanism akin to X-Content-Type-Options (to which
most of the Internet will remain oblivious), I'm not entirely sure if
the value of download= (which seems dubious, TBH) justifies the risk.

/mz
Received on Monday, 18 March 2013 14:31:17 GMT

This archive was generated by hypermail 2.3.1 : Monday, 18 March 2013 14:31:17 GMT