- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Thu, 16 Jan 2014 11:35:19 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
In fact, one more gotcha: because the 'download' attribute is somewhat sketchy, some implementations permit site owners to override it. In particular, in Firefox, the server may respond with 'Content-Disposition: inline' to override 'download' in the markup itself. So, one possible approach would be to require that the ultimate result of a fetch leads to a download action, rather than any inline handling; with the <a> integrity check unconditionally failing otherwise (with a helpful error message on the console). /mz
Received on Thursday, 16 January 2014 19:36:07 UTC