- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 08 May 2013 13:37:15 -0400
- To: "Gordon P. Hemsley" <gphemsley@gmail.com>
- Cc: whatwg <whatwg@lists.whatwg.org>
On 5/8/13 12:37 PM, Gordon P. Hemsley wrote: > I understand now the motivation for this, but I would think that it > would remove a lot of the usefulness of the @download attribute You're right, but we haven't found another mitigation for our security concerns. > If you have the same origin, you probably already have access to (a) name > the file appropriately in the first place, or (b) set the > Content-Disposition header to send the appropriate filename. No? For files, not for things like data: and blob:, which were the primary motivation for @download. That said, there are lots of cases in which someone can upload files but not pick the filename on the server or control the headers... > I'm not so sure about that, but I'll leave it to someone else to > argue. (If you determine a file to be a PNG, then you suggest a .png > extension, regardless of whether there might be an embedded > executable; if you don't support the file format, then how do you know > that it isn't supposed to be an executable in the first place? —and > what is it doing on the Web?) I assume that last question is a joke, yes? ;) -Boris
Received on Wednesday, 8 May 2013 17:37:43 UTC