W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Priority between <a download> and content-disposition

From: Glenn Maynard <glenn@zewt.org>
Date: Mon, 18 Mar 2013 09:50:19 -0500
Message-ID: <CABirCh8KrGvhntUY3F_2mxuWqP59XgCGD1VOYzAGq9KoRGi6Aw@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: WHAT Working Group <whatwg@whatwg.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Jonas Sicking <jonas@sicking.cc>
On Mon, Mar 18, 2013 at 9:30 AM, Michal Zalewski <lcamtuf@coredump.cx>wrote:

> I think I raised this on several other threads; in essence, countless
> websites permit users to upload constrained file formats, such as
> JPEGs or GIFs used as profile images. With content sniffing attacks,
> we've already seen that it's relatively trivial for attacker to make
> files that are both valid images, and also pretend to be some other,
> more dangerous file format.

Because many browsers prominently display the origin of a download and
> it's the only security indicators users really have, I think it's
> harmful to permit something like:
>

> <a href='http://www.facebook.com/.../user_profile_image.jpg'
> download='important_facebook_update.exe'>
>

Downloads are associated with the site the link is on, not the domain the
resource is served from.  If users click a download link and the file comes
from s3.amazonaws.com, they didn't come from Amazon; they came from your
page.

The origin of downloads should probably not be displayed in a prominent
location, since to typical users it's useless and potentially misleading;
it should be hidden in something like a "details" button.

-- 
Glenn Maynard
Received on Monday, 18 March 2013 14:50:48 GMT

This archive was generated by hypermail 2.3.1 : Monday, 18 March 2013 14:50:49 GMT