Re: [integrity] Downloads

I agree completely. Thank you for writing this up.
https://github.com/w3c/webappsec/commit/ad200c500c2edd325785a26d7829c118528e58f8is
an attempt at speccing that out. WDYT?

I believe the `Content-Disposition: inline` bypass you note is already
covered by limiting integrity verification to resources being handled "as a
download", but I'll take another look at the HTML spec to make sure.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jan 16, 2014 at 8:35 PM, Michal Zalewski <lcamtuf@coredump.cx>wrote:

> In fact, one more gotcha: because the 'download' attribute is somewhat
> sketchy, some implementations permit site owners to override it. In
> particular, in Firefox, the server may respond with
> 'Content-Disposition: inline' to override 'download' in the markup
> itself.
>
> So, one possible approach would be to require that the ultimate result
> of a fetch leads to a download action, rather than any inline
> handling; with the <a> integrity check unconditionally failing
> otherwise (with a helpful error message on the console).
>
> /mz
>

Received on Friday, 17 January 2014 08:16:03 UTC