W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] a rel=attachment

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 18 Jul 2011 09:20:13 -0700
Message-ID: <CA+c2ei-9TnVEQDgeJ2wvU4BfW0pSznad1-iOHSULbBUW0Nmaiw@mail.gmail.com>
On Mon, Jul 18, 2011 at 8:58 AM, Alexey Proskuryakov <ap at webkit.org> wrote:
>
> 17.07.2011, ? 21:05, Adam Barth ???????(?):
>
>> In summary, using CORS for this purpose is costly (both to
>> implementors and to authors), and I don't think it solves a real
>> security problem.
>
>
> Agreed. This feature basically gives authors two abilities: (1) force downloading of resources that would be displayed inline otherwise, and (2) rename them on the fly. Neither is what a site operator adding CORS headers e.g. for WebGL textures would think they're allowing.
>
> A different scenario which I don't think has been discussed in this thread is bypassing a hosting service security settings. Consider a highly reputable hosting that doesn't let you upload executable files (or maybe just scans those for malware if uploaded). With @download, one could bypass that, and make users download or even run an .EXE file by following an innocuous link to a well known domain. This kind of download could be same origin or cross origin.
>
> Perhaps an author who has not been given permission to change server HTTP responses is not trusted enough to change them via HTML either.

Any site that want to allow downloads without risking sharing data can
simply add "content-disposition: attached" headers. So no risk of
leaking too much data required.

/ Jonas
Received on Monday, 18 July 2011 09:20:13 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC