W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2011

[whatwg] "Content-Disposition" property for <a> tags

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sun, 01 May 2011 12:56:32 -0400
Message-ID: <4DBD90C0.8060600@mit.edu>
On 4/30/11 2:24 PM, Michal Zalewski wrote:
> Note that somewhat counterintuitively, there would be some security
> concerns with markup-level content disposition controls (or any JS
> equivalent). For example, consider evil.com doing this:
>
> <a href='http://example.com/user_content/harmless_text_file.txt'
> disposition='attachment; filename="Important_Security_Update.exe"'>

At least in the case of Firefox for that particular case on Windows the 
filename will be sanitized...

But yes, there are other situations where things could be more problematic.

-Boris
Received on Sunday, 1 May 2011 09:56:32 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:32 UTC