W3C home > Mailing lists > Public > uri@w3.org > February 2010

Re: data URIs - filename and content-disposition

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 25 Feb 2010 00:35:37 +0100
Message-ID: <4B85B7C9.1070200@gmx.de>
To: Michael Wojcik <Michael.Wojcik@microfocus.com>
CC: uri@w3.org
On 24.02.2010 15:49, Michael Wojcik wrote:
>> With that said, I think it'd be awesome if you could do something like:
>>
>> <a
>> href="data:text/plain;charset=utf-8;filename=tada.txt;content-
>> disposition=attachment,file_data">Save</a>.
>
> And is it the responsibility of the user agent, or of the user, to ensure that there is no security risk in saving the file under the name suggested by the URI?
>
> Considering how ready most users are to simply click through warnings and confirmations, this looks like a great way for sites to drop trojans, or place other malware at a known location so it can be activated through another vector.
>
> I'd at least like to see a decent review of the security implications, with reference to known attacks along similar vectors (eg the use of content-disposition with email attachments), as part of the proposal.

It's not a new attack vector. See 
<http://tools.ietf.org/html/rfc2183#section-5>.

Best regards, Julian
Received on Wednesday, 24 February 2010 23:36:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:14 UTC