- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 22 Jul 2011 14:03:12 -0700
On Thu, Jul 21, 2011 at 11:58 PM, Ian Hickson <ian at hixie.ch> wrote: > Is there any reason to use CORS here at all? It seems like the simpler > solution would be the following: > > ?- If download="" is set, then by default trigger a download rather than a > ? navigation action. (User can override via context menu.) > ?- Pick a filename for the download as follows: > ? - if the received resource has a Content-Disposition: attachment header > ? ? that specifies a filename, use that. > ? - otherwise, if the received resource has a Content-Disposition header > ? ? that specifies a filename, and the resource is same-origin, use that > ? ? filename. > ? - otherwise, if the received resource is same-origin and the > ? ? download="" attribute specifies a filename, use that. > ? - otherwise, if the received resource has a Content-Disposition: > ? ? attachment header and the download="" attribute specifies a filename, > ? ? use the filename from the attribute. > ? - otherwise, if the received resource is same-origin then derive a > ? ? filename from the resource. > ? - otherwise, either abort or alert the user that a file is being > ? ? downloaded from a different origin and prompt for a filename. > ?- If a mapping from the MIME type to an extension is known, but the > ? filename doesn't have that extension, add it. > > This is what I've used for now (modulo some allowances for user > interfaces), but I welcome suggests for changing this. The "otherwise, either abort or alert the user that a file is being downloaded from a different origin and prompt for a filename" step seems to allow to *very* different browser behaviors, resulting in a site working in one browser, but not in another. I'm still trying to find a date when we can do a security review about this in mozilla though. It still does seem very strange to me that a bank site which sends "cache-control: no-store" for a resource in order to prevent it from being temporarily stored on the users hard drive, can still end up being *permanently* stored on a users hard drive. All that's needed is for the user to click a 'yes' button on a download dialog while watching a seemingly harmless site. / Jonas
Received on Friday, 22 July 2011 14:03:12 UTC