W3C home > Mailing lists > Public > uri@w3.org > February 2010

RE: data URIs - filename and content-disposition

From: Michael Wojcik <Michael.Wojcik@microfocus.com>
Date: Wed, 24 Feb 2010 06:49:41 -0800
Message-ID: <81F42F63D5BB344ABF294F8E80990C79CD550E@MTV-EXCHANGE.microfocus.com>
To: <uri@w3.org>
> With that said, I think it'd be awesome if you could do something like:
> 
> <a
> href="data:text/plain;charset=utf-8;filename=tada.txt;content-
> disposition=attachment,file_data">Save</a>.

And is it the responsibility of the user agent, or of the user, to ensure that there is no security risk in saving the file under the name suggested by the URI?

Considering how ready most users are to simply click through warnings and confirmations, this looks like a great way for sites to drop trojans, or place other malware at a known location so it can be activated through another vector.

I'd at least like to see a decent review of the security implications, with reference to known attacks along similar vectors (eg the use of content-disposition with email attachments), as part of the proposal.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

Received on Wednesday, 24 February 2010 18:11:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:14 UTC