- From: Glenn Maynard <glenn@zewt.org>
- Date: Mon, 18 Jul 2011 12:35:51 -0400
On Mon, Jul 18, 2011 at 11:58 AM, Alexey Proskuryakov <ap at webkit.org> wrote: > A different scenario which I don't think has been discussed in this thread is bypassing a hosting service security settings. Consider a highly reputable hosting that doesn't let you upload executable files (or maybe just scans those for malware if uploaded). With @download, one could bypass that, and make users download or even run an .EXE file by following an innocuous link to a well known domain. This kind of download could be same origin or cross origin. The service hosting the file--the target of the link--shouldn't convey trust. The page containing the download link is where trust should come from, not the link target. For example, if I have a link on my site to download Chrome, I'm not going to link directly to the installer on google.com; I'll link to Google's "Download Chrome" site. The actual download link the user follows is not only pointing to google.com, but is linked from there as well. I expect that most users will trust the download not because of where the download link goes, but where it comes from. If I link directly to the file to download, users should trust the file as much as they trust *my* site, rather than Google itself, since the download is, from their perspective, coming from me and not them. Similarly, if a site uses a mysterious CDN or an Amazon S3 link, that shouldn't affect trust; if www.google.com/chrome puts the file itself on mysteriousgooglecdn.com, it should be no less trusted than if it was from a google.com subdomain. That difference should be transparent to users. (This is why it's okay that Firefox's open/save dialog shows the link target in a minor, easily-ignored bit of text--it's not important information for most users. Chrome doesn't even show that.) So, if a hosting service doesn't want to allow executable files, it won't show files as executable from their own download pages, which is what should matter as far as that site's trust is concerned. People using this mechanism to serve executable files from external links may be annoying, but it shouldn't cause trust issues. -- Glenn Maynard
Received on Monday, 18 July 2011 09:35:51 UTC