- From: Glenn Maynard <glenn@zewt.org>
- Date: Mon, 18 Mar 2013 09:50:19 -0500
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: WHAT Working Group <whatwg@whatwg.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Jonas Sicking <jonas@sicking.cc>
On Mon, Mar 18, 2013 at 9:30 AM, Michal Zalewski <lcamtuf@coredump.cx>wrote: > I think I raised this on several other threads; in essence, countless > websites permit users to upload constrained file formats, such as > JPEGs or GIFs used as profile images. With content sniffing attacks, > we've already seen that it's relatively trivial for attacker to make > files that are both valid images, and also pretend to be some other, > more dangerous file format. Because many browsers prominently display the origin of a download and > it's the only security indicators users really have, I think it's > harmful to permit something like: > > <a href='http://www.facebook.com/.../user_profile_image.jpg' > download='important_facebook_update.exe'> > Downloads are associated with the site the link is on, not the domain the resource is served from. If users click a download link and the file comes from s3.amazonaws.com, they didn't come from Amazon; they came from your page. The origin of downloads should probably not be displayed in a prominent location, since to typical users it's useless and potentially misleading; it should be hidden in something like a "details" button. -- Glenn Maynard
Received on Monday, 18 March 2013 14:50:48 UTC