- From: Michael Wojcik <Michael.Wojcik@microfocus.com>
- Date: Thu, 25 Feb 2010 05:39:53 -0800
- To: <uri@w3.org>
> From: Julian Reschke [mailto:julian.reschke@gmx.de] > > On 24.02.2010 15:49, Michael Wojcik wrote: > > > > And is it the responsibility of the user agent, or of the user, to > ensure that there is no security risk in saving the file under the name > suggested by the URI? > > > > It's not a new attack vector. See > <http://tools.ietf.org/html/rfc2183#section-5>. It's not a new attack vector for MUAs that already respect Content-disposition. It's a new attack vector for anything that implements the proposal to support content-disposition as a parameter in data-scheme URIs. The user experience for email attachments and web-page links is quite different for most clients. Users treat those as different applications, with different recommended practices. They're not equivalent security domains. I thought that was sufficiently obvious to not merit pointing out, but apparently I was wrong. But in any case, Michael Puls II points out in a subsequent message that some HTTP UAs already respect Content-disposition in HTTP headers, so this train has left the station. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
Received on Thursday, 25 February 2010 13:44:32 UTC