[integrity] Downloads

The spec currently says that integrity checks are performed both if
the "download" attribute is used, and if a download is triggered by

However, the latter would not be meaningful: if the destination site
goes rogue, it could initially return a minimalistic HTML document
that is not served with Content-Disposition: attachment, but then
performs an instant <meta> or JS redirect to an evil binary.

In this case, the integrity attribute will be ignored and the
navigation to the evil HTML document will take place, with a download
commencing immediately thereafter; and the end result would be
practically indistinguishable from a successful integrity check.

I think the only way to make integrity work on <a> is to require the
download attribute. Further, because incorrect uses would be otherwise
hard to spot, I would suggest specifying that <a integrity=...> with
no 'download' specified should fail unconditionally.


Received on Thursday, 16 January 2014 19:29:20 UTC