- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 25 Feb 2010 14:52:36 +0100
- To: Michael Wojcik <Michael.Wojcik@microfocus.com>
- CC: uri@w3.org
On 25.02.2010 14:39, Michael Wojcik wrote: >> From: Julian Reschke [mailto:julian.reschke@gmx.de] >> >> On 24.02.2010 15:49, Michael Wojcik wrote: >>> >>> And is it the responsibility of the user agent, or of the user, to >> ensure that there is no security risk in saving the file under the name >> suggested by the URI? >>> >> >> It's not a new attack vector. See >> <http://tools.ietf.org/html/rfc2183#section-5>. > > It's not a new attack vector for MUAs that already respect Content-disposition. It's a new attack vector for anything that implements the proposal to support content-disposition as a parameter in data-scheme URIs. All major browsers that I'm aware of *do* support Content-Disposition already. > The user experience for email attachments and web-page links is quite different for most clients. Users treat those as different applications, with different recommended practices. They're not equivalent security domains. > > I thought that was sufficiently obvious to not merit pointing out, but apparently I was wrong. > > But in any case, Michael Puls II points out in a subsequent message that some HTTP UAs already respect Content-disposition in HTTP headers, so this train has left the station. Right. Best regards, Julian
Received on Thursday, 25 February 2010 13:53:16 UTC