W3C home > Mailing lists > Public > uri@w3.org > February 2010

RE: data URIs - filename and content-disposition

From: Michael Wojcik <Michael.Wojcik@microfocus.com>
Date: Thu, 25 Feb 2010 05:39:53 -0800
Message-ID: <81F42F63D5BB344ABF294F8E80990C79CD5514@MTV-EXCHANGE.microfocus.com>
To: <uri@w3.org>
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> 
> On 24.02.2010 15:49, Michael Wojcik wrote:
> >
> > And is it the responsibility of the user agent, or of the user, to
> ensure that there is no security risk in saving the file under the name
> suggested by the URI?
> >
> 
> It's not a new attack vector. See
> <http://tools.ietf.org/html/rfc2183#section-5>.

It's not a new attack vector for MUAs that already respect Content-disposition. It's a new attack vector for anything that implements the proposal to support content-disposition as a parameter in data-scheme URIs.

The user experience for email attachments and web-page links is quite different for most clients. Users treat those as different applications, with different recommended practices. They're not equivalent security domains.

I thought that was sufficiently obvious to not merit pointing out, but apparently I was wrong.

But in any case, Michael Puls II points out in a subsequent message that some HTTP UAs already respect Content-disposition in HTTP headers, so this train has left the station.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

Received on Thursday, 25 February 2010 13:44:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:14 UTC