Re: [FileAPI] Blob.URN?

On Mar 31, 2010, at 16:58 , Tab Atkins Jr. wrote:
> On Wed, Mar 31, 2010 at 1:55 AM, Robin Berjon <robin@berjon.com> wrote:
>> On Mar 31, 2010, at 01:56 , Darin Fisher wrote:
>>> The only way to get a FileWriter at the moment is from <input type="saveas">.  What is desired is a way to simulate the load of a resource with Content-Disposition: attachment that would trigger the browser's download manager.
>> 
>> I don't think that <input type=saveas> is a good solution for this, for one it falls back to a text input control, which is less than ideal. I think that the File Writer should trigger downloads on an API call since that doesn't introduce security issues that aren't already there. I'll make a proposal for that.
> 
> Better fallback could be achieved with <button type=saveas></button>.

Well, that gives you a button that does nothing. It's better in the same sense that if you want to get to the moon, a car is better than a kick scooter.

You can already redirect to malicious.exe. You can also already build malicious.zip directly in script and prompt for download (like http://jszip.stuartk.co.uk/ does). A saveAs() method that works through the download UI changes nothing security-wise, unless I'm missing something.

I'm going to flag the entry point issue in the draft, and DAP has decided to release a FPWD of it (because most of it is still very useful to look at separately from this issue).

-- 
Robin Berjon - http://berjon.com/

Received on Wednesday, 31 March 2010 15:24:36 UTC