W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2011

[whatwg] "Content-Disposition" property for <a> tags

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sun, 01 May 2011 12:56:32 -0400
Message-ID: <4DBD90C0.8060600@mit.edu>
On 4/30/11 2:24 PM, Michal Zalewski wrote:
> Note that somewhat counterintuitively, there would be some security
> concerns with markup-level content disposition controls (or any JS
> equivalent). For example, consider evil.com doing this:
> <a href='http://example.com/user_content/harmless_text_file.txt'
> disposition='attachment; filename="Important_Security_Update.exe"'>

At least in the case of Firefox for that particular case on Windows the 
filename will be sanitized...

But yes, there are other situations where things could be more problematic.

Received on Sunday, 1 May 2011 09:56:32 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:32 UTC