W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] a rel=attachment

From: Bjartur Thorlacius <svartman95@gmail.com>
Date: Sun, 17 Jul 2011 19:41:08 +0000
Message-ID: <4E233AD4.4080302@gmail.com>
?ann f?s 15.j?l 2011 18:39, skrifa?i Jonas Sicking:
> 2011/7/14 Ian Fette (????????)<ifette at google.com>:
> One concern which was brought up was the ability to cause the user to
> download a file from a third party site. I.e. this would allow
> evil.com to trick the user into downloading an email from the users
> webmail, or download a page from their bank which contains all their
> banking information. It might be easier to then trick the user into
> re-uploading the saved file to evil.com since from a user's
> perspective, it looked like the file came from evil.com
> 
Would it not be possible to send an unauthenticated request for the
file, if it's of different origin?
Received on Sunday, 17 July 2011 12:41:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC