W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] a rel=attachment

From: Bjartur Thorlacius <svartman95@gmail.com>
Date: Sun, 17 Jul 2011 19:41:08 +0000
Message-ID: <4E233AD4.4080302@gmail.com>
?ann f?s 15.j?l 2011 18:39, skrifa?i Jonas Sicking:
> 2011/7/14 Ian Fette (????????)<ifette at google.com>:
> One concern which was brought up was the ability to cause the user to
> download a file from a third party site. I.e. this would allow
> evil.com to trick the user into downloading an email from the users
> webmail, or download a page from their bank which contains all their
> banking information. It might be easier to then trick the user into
> re-uploading the saved file to evil.com since from a user's
> perspective, it looked like the file came from evil.com
Would it not be possible to send an unauthenticated request for the
file, if it's of different origin?
Received on Sunday, 17 July 2011 12:41:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC