W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity] Downloads

From: Mike West <mkwst@google.com>
Date: Fri, 17 Jan 2014 09:15:14 +0100
Message-ID: <CAKXHy=fVzAqkrtS+dbNJj+_umQryVAL63o8sX5Db0kbry0NgOw@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I agree completely. Thank you for writing this up.
https://github.com/w3c/webappsec/commit/ad200c500c2edd325785a26d7829c118528e58f8is
an attempt at speccing that out. WDYT?

I believe the `Content-Disposition: inline` bypass you note is already
covered by limiting integrity verification to resources being handled "as a
download", but I'll take another look at the HTML spec to make sure.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jan 16, 2014 at 8:35 PM, Michal Zalewski <lcamtuf@coredump.cx>wrote:

> In fact, one more gotcha: because the 'download' attribute is somewhat
> sketchy, some implementations permit site owners to override it. In
> particular, in Firefox, the server may respond with
> 'Content-Disposition: inline' to override 'download' in the markup
> itself.
>
> So, one possible approach would be to require that the ultimate result
> of a fetch leads to a download action, rather than any inline
> handling; with the <a> integrity check unconditionally failing
> otherwise (with a helpful error message on the console).
>
> /mz
>
Received on Friday, 17 January 2014 08:16:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC