- From: Gordon P. Hemsley <gphemsley@gmail.com>
- Date: Wed, 8 May 2013 12:15:42 -0400
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: whatwg <whatwg@lists.whatwg.org>
On Wed, May 8, 2013 at 12:01 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 5/8/13 10:45 AM, Gordon P. Hemsley wrote: >> >> I still think @download takes priority. >> >> The Content-Disposition header says, "Nevermind what filename the URL >> shows; this is really file B.txt." >> >> The @download attribute says, "Nevermind what filename this link would >> normally be; let's just consider it A.txt." > > > OK, that's at least a reasonable argument for the behavior. ;) > > >> That seems like quite a sophisticated attack that relies on a lot of >> things falling into place all at once. > > > Uh... yes. Like most browser exploits. Perhaps. But maybe I'm not clear on what exactly the alternate proposal is. Are you suggesting not supporting the @download attribute? Or just ignoring it when Content-Disposition specifies a filename? (I would suggest that neither is the appropriate response.) >> Then I think it is the responsibility of the UA to sniff the file and >> protect the user from such attempts to mislead. > > > This is not trivial, since sniffing can easily fail on files that are both > HTML and png or both HTML and exe at the same time. There's a good bit of > research on things like this. Yes, and that research has already gone into creating the mimesniff standard, has it not? I'm suggesting use the existing algoirthm(s) in an additional arena, not creating a new, separate algorithm. If a file from an image sharing site is served as (or determined to be, via the sniffing algorithms) image/png, for example, then the UA should suggest a filename with a .png extension, ignoring any suggestion by the author for a .exe extension. (Whether you want to change it to "A.png" or "A.exe.png" is debatable, I suppose.) >> I'm not sure I have the resources to do extensive real-world testing >> of this (and that documentation suggests it has been superseded in >> more modern OSes), but I don't think it would be unreasonable for the >> UA to override or augment the filename suggested by the @download >> attribute it if determines that it would not be in the best interest >> of the user to use the suggested filename unchanged. > > > Phrased that way, using the Content-Disposition filename is a perfectly > valid "override if not in the best interest of the user" behavior, fwiw. > > -Boris > True. But doesn't that imply a rejection of my aforementioned "reasonable argument"? -- Gordon P. Hemsley me@gphemsley.org http://gphemsley.org/ • http://gphemsley.org/blog/
Received on Wednesday, 8 May 2013 16:16:36 UTC