- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 07 May 2013 22:18:38 -0400
- To: whatwg@lists.whatwg.org
On 5/7/13 5:54 PM, Gordon P. Hemsley wrote: > A @download attribute with a value would override both factors, like so: > (1) Download it. > (2) "A.txt" Why? You say this as if it were obvious, but it's not obvious to me at all... What's the reasoning that makes this the desirable behavior? > I don't see what the security concerns might be: There is no > difference here than what is already available There is if you allow cross-origin @download. There is if you allow untrusted markup on your server and don't sanitize away @download (should it be sanitized away? Unclear). > AFAICT, there are no content > sniffing or cross-domain issues at play. But there are; see above. > results when saving a file; they don't do any file extension vs. file > format checking. Uh... that depends on exactly how you save and your OS. Browsers commonly do file extension vs MIME type checking on Windows. Behavior on other OSes varies, and varies across browsers. -Boris
Received on Wednesday, 8 May 2013 02:19:03 UTC