- From: Ian Fette <ifette@google.com>
- Date: Fri, 15 Jul 2011 14:32:54 -0700
On Fri, Jul 15, 2011 at 1:15 PM, Julian Reschke <julian.reschke at gmx.de>wrote: > On 2011-07-15 19:05, Ian Fette (????????) wrote: > >> .. >> >>> It also doesn't naturally help understanding that it's just poor man's >>> Content-Disposition:**attachment. From this point of view, I like Ian's >>> original proposal (rel=attachment) more. >>> >>> >> Yes and no - both are sort of a poor man's Content-Disposition :) The >> question is whether we need to handle filename, and the proposal of >> download=filename at least maps content-disposition fully and compactly. >> ... >> > > Well, one difference is that C-D is under the control of the owner of the > resource being linked to (ideally), while attributes set somewhere else > might not. > > So there is a security-related aspect to this. > > Best regards, Julian > So, in the interest of making progress, what if we tried... download=filename for same origin it's always downloaded (includes filesystem api from that origin) for cross-origin it's downloaded if we get a positive CORS response and/or we get a content-disposition attachment for cross-origin if we don't get positive CORS response OR content-disposition:attachment we don't download We can always start conservative and broaden out. -Ian
Received on Friday, 15 July 2011 14:32:54 UTC