[whatwg/fetch] Should `Content-Disposition: attachment` implicitly opt into CORB and/or CORP? (#875) from Lukasz Anforowicz on 2019-03-04 (public-webapps-github@w3.org from March 2019)

From: Lukasz Anforowicz <notifications@github.com>
Date: Mon, 04 Mar 2019 09:09:55 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/875@github.com>

Web servers can use `Content-Disposition: attachment` response header to indicate to browsers that the responses shouldn't be displayed inside the Web page (or as the Web page), but instead should be downloaded:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition
- https://tools.ietf.org/html/rfc6266

QUESTION: Should present of `Content-Disposition: attachment` implicitly opt the response into [CORB](https://fetch.spec.whatwg.org/#corb) and/or [CORP](https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header)?

My main worry is that currently `Content-Disposition: attachment` does force a download in Firefox and Chrome, but only for _navigations_ and not for subresources.  In the example below, `200.png` is served with `Content-Disposition: attachment`, but the image is still displayed within the page (OTOH, clicking the link does force a download, rather than displaying the standalone image).  Given this, this change probably has a high risk of breaking some existing websites :-/
```html
<img src="200.png">
<a href="200.png">link</a>
```

cc @csreis, @arturjanc

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/875

Received on Monday, 4 March 2019 17:10:17 UTC