[whatwg] Forcing a download from Jonas Sicking on 2011-07-22 (public-whatwg-archive@w3.org from July 2011)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 22 Jul 2011 14:03:12 -0700
Message-ID: <CA+c2ei9Q9zWpc1eqx5UMV+W6Qji9-1mFWCjJRB19uvpL18XTdA@mail.gmail.com>

On Thu, Jul 21, 2011 at 11:58 PM, Ian Hickson <ian at hixie.ch> wrote:
> Is there any reason to use CORS here at all? It seems like the simpler
> solution would be the following:
>
> ?- If download="" is set, then by default trigger a download rather than a
> ? navigation action. (User can override via context menu.)
> ?- Pick a filename for the download as follows:
> ? - if the received resource has a Content-Disposition: attachment header
> ? ? that specifies a filename, use that.
> ? - otherwise, if the received resource has a Content-Disposition header
> ? ? that specifies a filename, and the resource is same-origin, use that
> ? ? filename.
> ? - otherwise, if the received resource is same-origin and the
> ? ? download="" attribute specifies a filename, use that.
> ? - otherwise, if the received resource has a Content-Disposition:
> ? ? attachment header and the download="" attribute specifies a filename,
> ? ? use the filename from the attribute.
> ? - otherwise, if the received resource is same-origin then derive a
> ? ? filename from the resource.
> ? - otherwise, either abort or alert the user that a file is being
> ? ? downloaded from a different origin and prompt for a filename.
> ?- If a mapping from the MIME type to an extension is known, but the
> ? filename doesn't have that extension, add it.
>
> This is what I've used for now (modulo some allowances for user
> interfaces), but I welcome suggests for changing this.

The "otherwise, either abort or alert the user that a file is being
downloaded from a different origin and prompt for a filename" step
seems to allow to *very* different browser behaviors, resulting in a
site working in one browser, but not in another.

I'm still trying to find a date when we can do a security review about
this in mozilla though. It still does seem very strange to me that a
bank site which sends "cache-control: no-store" for a resource in
order to prevent it from being temporarily stored on the users hard
drive, can still end up being *permanently* stored on a users hard
drive. All that's needed is for the user to click a 'yes' button on a
download dialog while watching a seemingly harmless site.

/ Jonas

Received on Friday, 22 July 2011 14:03:12 UTC