W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] a rel=attachment

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 17 Jul 2011 13:50:23 -0700
Message-ID: <CA+c2ei8xdOi+FULXRygcsNn41wnuEQUVzQY1PHTNR5MC3Qog8A@mail.gmail.com>
On Sun, Jul 17, 2011 at 12:41 PM, Bjartur Thorlacius
<svartman95 at gmail.com> wrote:
> ?ann f?s 15.j?l 2011 18:39, skrifa?i Jonas Sicking:
>>
>> 2011/7/14 Ian Fette (????????)<ifette at google.com>:
>> One concern which was brought up was the ability to cause the user to
>> download a file from a third party site. I.e. this would allow
>> evil.com to trick the user into downloading an email from the users
>> webmail, or download a page from their bank which contains all their
>> banking information. It might be easier to then trick the user into
>> re-uploading the saved file to evil.com since from a user's
>> perspective, it looked like the file came from evil.com
>>
> Would it not be possible to send an unauthenticated request for the
> file, if it's of different origin?

That only solves part of the problem since if the file is located on a
private intranet behind a firewall, even unauthenticated requests can
return sensitive data.

Additionally, I strongly suspect people will want to be able to
download authenticated data cross site.

/ Jonas
Received on Sunday, 17 July 2011 13:50:23 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC