W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity] Downloads

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 16 Jan 2014 11:35:19 -0800
Message-ID: <CALx_OUBT0xzeJnmY_f8i+ucdcnMcjm9HOvp4Fr-uO74JOjBeTg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
In fact, one more gotcha: because the 'download' attribute is somewhat
sketchy, some implementations permit site owners to override it. In
particular, in Firefox, the server may respond with
'Content-Disposition: inline' to override 'download' in the markup
itself.

So, one possible approach would be to require that the ultimate result
of a fetch leads to a download action, rather than any inline
handling; with the <a> integrity check unconditionally failing
otherwise (with a helpful error message on the console).

/mz
Received on Thursday, 16 January 2014 19:36:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC