W3C home > Mailing lists > Public > uri@w3.org > February 2010

Re: data URIs - filename and content-disposition

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 25 Feb 2010 14:52:36 +0100
Message-ID: <4B8680A4.4050305@gmx.de>
To: Michael Wojcik <Michael.Wojcik@microfocus.com>
CC: uri@w3.org
On 25.02.2010 14:39, Michael Wojcik wrote:
>> From: Julian Reschke [mailto:julian.reschke@gmx.de]
>>
>> On 24.02.2010 15:49, Michael Wojcik wrote:
>>>
>>> And is it the responsibility of the user agent, or of the user, to
>> ensure that there is no security risk in saving the file under the name
>> suggested by the URI?
>>>
>>
>> It's not a new attack vector. See
>> <http://tools.ietf.org/html/rfc2183#section-5>.
>
> It's not a new attack vector for MUAs that already respect Content-disposition. It's a new attack vector for anything that implements the proposal to support content-disposition as a parameter in data-scheme URIs.

All major browsers that I'm aware of *do* support Content-Disposition 
already.

> The user experience for email attachments and web-page links is quite different for most clients. Users treat those as different applications, with different recommended practices. They're not equivalent security domains.
>
> I thought that was sufficiently obvious to not merit pointing out, but apparently I was wrong.
>
> But in any case, Michael Puls II points out in a subsequent message that some HTTP UAs already respect Content-disposition in HTTP headers, so this train has left the station.

Right.

Best regards, Julian
Received on Thursday, 25 February 2010 13:53:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:14 UTC