- From: Mike West <mkwst@google.com>
- Date: Fri, 17 Jan 2014 09:15:14 +0100
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=fVzAqkrtS+dbNJj+_umQryVAL63o8sX5Db0kbry0NgOw@mail.gmail.com>
I agree completely. Thank you for writing this up. https://github.com/w3c/webappsec/commit/ad200c500c2edd325785a26d7829c118528e58f8is an attempt at speccing that out. WDYT? I believe the `Content-Disposition: inline` bypass you note is already covered by limiting integrity verification to resources being handled "as a download", but I'll take another look at the HTML spec to make sure. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Jan 16, 2014 at 8:35 PM, Michal Zalewski <lcamtuf@coredump.cx>wrote: > In fact, one more gotcha: because the 'download' attribute is somewhat > sketchy, some implementations permit site owners to override it. In > particular, in Firefox, the server may respond with > 'Content-Disposition: inline' to override 'download' in the markup > itself. > > So, one possible approach would be to require that the ultimate result > of a fetch leads to a download action, rather than any inline > handling; with the <a> integrity check unconditionally failing > otherwise (with a helpful error message on the console). > > /mz >
Received on Friday, 17 January 2014 08:16:03 UTC