W3C home > Mailing lists > Public > uri@w3.org > February 2010

Re: data URIs - filename and content-disposition

From: Michael A. Puls II <shadow2531@gmail.com>
Date: Thu, 25 Feb 2010 00:09:32 -0500
To: uri@w3.org, "Michael Wojcik" <Michael.Wojcik@microfocus.com>
Message-ID: <op.u8n296ko1ejg13@sandra-svwliu01>
On Wed, 24 Feb 2010 09:49:41 -0500, Michael Wojcik  
<Michael.Wojcik@microfocus.com> wrote:

>> With that said, I think it'd be awesome if you could do something like:
>>
>> <a
>> href="data:text/plain;charset=utf-8;filename=tada.txt;content-
>> disposition=attachment,file_data">Save</a>.
>
> And is it the responsibility of the user agent, or of the user, to  
> ensure that there is no security risk in saving the file under the name  
> suggested by the URI?
>
> Considering how ready most users are to simply click through warnings  
> and confirmations, this looks like a great way for sites to drop  
> trojans, or place other malware at a known location so it can be  
> activated through another vector.
>
> I'd at least like to see a decent review of the security implications,  
> with reference to known attacks along similar vectors (eg the use of  
> content-disposition with email attachments), as part of the proposal.

I would expect user agents to deal with the filename and  
content-disposition values security-wise in the same way they do when it's  
presented via http or in mime messages.

For example, if you have:

data:application/octet-stream;filename=foo.exe,file_data
or
data:application/x-msdownload;filename=foo.exe,file_data

, UAs would only provide a save button in their dialog and no open button  
(well browsers that feel that it's important to do this at least).

-- 
Michael
Received on Thursday, 25 February 2010 05:10:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:14 UTC