Re: [integrity] Downloads

In fact, one more gotcha: because the 'download' attribute is somewhat
sketchy, some implementations permit site owners to override it. In
particular, in Firefox, the server may respond with
'Content-Disposition: inline' to override 'download' in the markup
itself.

So, one possible approach would be to require that the ultimate result
of a fetch leads to a download action, rather than any inline
handling; with the <a> integrity check unconditionally failing
otherwise (with a helpful error message on the console).

/mz

Received on Thursday, 16 January 2014 19:36:07 UTC