Re: data URIs - filename and content-disposition

On 25.02.2010 14:39, Michael Wojcik wrote:
>> From: Julian Reschke []
>> On 24.02.2010 15:49, Michael Wojcik wrote:
>>> And is it the responsibility of the user agent, or of the user, to
>> ensure that there is no security risk in saving the file under the name
>> suggested by the URI?
>> It's not a new attack vector. See
>> <>.
> It's not a new attack vector for MUAs that already respect Content-disposition. It's a new attack vector for anything that implements the proposal to support content-disposition as a parameter in data-scheme URIs.

All major browsers that I'm aware of *do* support Content-Disposition 

> The user experience for email attachments and web-page links is quite different for most clients. Users treat those as different applications, with different recommended practices. They're not equivalent security domains.
> I thought that was sufficiently obvious to not merit pointing out, but apparently I was wrong.
> But in any case, Michael Puls II points out in a subsequent message that some HTTP UAs already respect Content-disposition in HTTP headers, so this train has left the station.


Best regards, Julian

Received on Thursday, 25 February 2010 13:53:16 UTC