[whatwg] "Content-Disposition" property for <a> tags

On Thu, Jun 2, 2011 at 3:32 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> I don't think the issue raised was about getting people to save files,
>> though. ?If you can get someone to click a link, you can already point
>> them at something that sets the HTTP C-D header.
> The origin of a download is one of the best / most important
> indicators people have right now (which, by itself, is a bit of a
> shame). I just think it would be a substantial regression to make it
> possible for microsoft.com or google.com to unwittingly serve .exe /
> .jar / .zip / .rar files based on third-party markup.
> Firefox and MSIE display the origin fairly prominently, IIRC; Chrome
> displays it in some views. But deficiencies of current UIs are
> probably a separate problem.

Firefox displays it in a small, unimportant-looking piece of text
inside a busy dialog; I never even consciously noticed it until I
looked for it.  For me, Chrome doesn't say anything; when I click an
.EXE it saves it to disk without asking (maybe I changed a preference
somewhere--that seems like an unlikely default).

When I download a file, I decide whether to trust "dangerous" file
types based on who's telling me to download it--that is, based on the
site linking the file, not the site hosting it.  I'd strongly suspect
that more people look at who's linking the file (eg. where they were
when they clicked the link), and that very few people examine the
"from:" text in the save-as dialog.

Either way, again this is something that can be dealt with in UI, for
example by displaying the source URL as the source of the download
rather than or in addition to the domain hosting the file when this
attribute is used.  It's a weak argument against this feature.

Glenn Maynard

Received on Thursday, 2 June 2011 12:58:05 UTC