RE: data URIs - filename and content-disposition

> With that said, I think it'd be awesome if you could do something like:
> 
> <a
> href="data:text/plain;charset=utf-8;filename=tada.txt;content-
> disposition=attachment,file_data">Save</a>.

And is it the responsibility of the user agent, or of the user, to ensure that there is no security risk in saving the file under the name suggested by the URI?

Considering how ready most users are to simply click through warnings and confirmations, this looks like a great way for sites to drop trojans, or place other malware at a known location so it can be activated through another vector.

I'd at least like to see a decent review of the security implications, with reference to known attacks along similar vectors (eg the use of content-disposition with email attachments), as part of the proposal.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

Received on Wednesday, 24 February 2010 18:11:00 UTC