- From: Robin Berjon <robin@berjon.com>
- Date: Wed, 31 Mar 2010 17:24:07 +0200
- To: Tab Atkins Jr. <jackalmage@gmail.com>
- Cc: Web Applications Working Group WG <public-webapps@w3.org>, Eric Uhrhane <ericu@google.com>
On Mar 31, 2010, at 16:58 , Tab Atkins Jr. wrote: > On Wed, Mar 31, 2010 at 1:55 AM, Robin Berjon <robin@berjon.com> wrote: >> On Mar 31, 2010, at 01:56 , Darin Fisher wrote: >>> The only way to get a FileWriter at the moment is from <input type="saveas">. What is desired is a way to simulate the load of a resource with Content-Disposition: attachment that would trigger the browser's download manager. >> >> I don't think that <input type=saveas> is a good solution for this, for one it falls back to a text input control, which is less than ideal. I think that the File Writer should trigger downloads on an API call since that doesn't introduce security issues that aren't already there. I'll make a proposal for that. > > Better fallback could be achieved with <button type=saveas></button>. Well, that gives you a button that does nothing. It's better in the same sense that if you want to get to the moon, a car is better than a kick scooter. You can already redirect to malicious.exe. You can also already build malicious.zip directly in script and prompt for download (like http://jszip.stuartk.co.uk/ does). A saveAs() method that works through the download UI changes nothing security-wise, unless I'm missing something. I'm going to flag the entry point issue in the draft, and DAP has decided to release a FPWD of it (because most of it is still very useful to look at separately from this issue). -- Robin Berjon - http://berjon.com/
Received on Wednesday, 31 March 2010 15:24:36 UTC