Re: data URIs - filename and content-disposition

On Wed, 24 Feb 2010 09:49:41 -0500, Michael Wojcik  
<> wrote:

>> With that said, I think it'd be awesome if you could do something like:
>> <a
>> href="data:text/plain;charset=utf-8;filename=tada.txt;content-
>> disposition=attachment,file_data">Save</a>.
> And is it the responsibility of the user agent, or of the user, to  
> ensure that there is no security risk in saving the file under the name  
> suggested by the URI?
> Considering how ready most users are to simply click through warnings  
> and confirmations, this looks like a great way for sites to drop  
> trojans, or place other malware at a known location so it can be  
> activated through another vector.
> I'd at least like to see a decent review of the security implications,  
> with reference to known attacks along similar vectors (eg the use of  
> content-disposition with email attachments), as part of the proposal.

I would expect user agents to deal with the filename and  
content-disposition values security-wise in the same way they do when it's  
presented via http or in mime messages.

For example, if you have:


, UAs would only provide a save button in their dialog and no open button  
(well browsers that feel that it's important to do this at least).


Received on Thursday, 25 February 2010 05:10:01 UTC