- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Mon, 18 Mar 2013 07:30:23 -0700
- To: Glenn Maynard <glenn@zewt.org>
- Cc: WHAT Working Group <whatwg@whatwg.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Jonas Sicking <jonas@sicking.cc>
I think I raised this on several other threads; in essence, countless websites permit users to upload constrained file formats, such as JPEGs or GIFs used as profile images. With content sniffing attacks, we've already seen that it's relatively trivial for attacker to make files that are both valid images, and also pretend to be some other, more dangerous file format. Because many browsers prominently display the origin of a download and it's the only security indicators users really have, I think it's harmful to permit something like: <a href='http://www.facebook.com/.../user_profile_image.jpg' download='important_facebook_update.exe'> In fact, given the security problems it creates and the fact that they will be difficult to fully mitigate without establishing some sort of a new 'opt-out' mechanism akin to X-Content-Type-Options (to which most of the Internet will remain oblivious), I'm not entirely sure if the value of download= (which seems dubious, TBH) justifies the risk. /mz
Received on Monday, 18 March 2013 14:31:17 UTC