On 25.02.2010 14:39, Michael Wojcik wrote: >> From: Julian Reschke [mailto:julian.reschke@gmx.de] >> >> On 24.02.2010 15:49, Michael Wojcik wrote: >>> >>> And is it the responsibility of the user agent, or of the user, to >> ensure that there is no security risk in saving the file under the name >> suggested by the URI? >>> >> >> It's not a new attack vector. See >> <http://tools.ietf.org/html/rfc2183#section-5>. > > It's not a new attack vector for MUAs that already respect Content-disposition. It's a new attack vector for anything that implements the proposal to support content-disposition as a parameter in data-scheme URIs. All major browsers that I'm aware of *do* support Content-Disposition already. > The user experience for email attachments and web-page links is quite different for most clients. Users treat those as different applications, with different recommended practices. They're not equivalent security domains. > > I thought that was sufficiently obvious to not merit pointing out, but apparently I was wrong. > > But in any case, Michael Puls II points out in a subsequent message that some HTTP UAs already respect Content-disposition in HTTP headers, so this train has left the station. Right. Best regards, JulianReceived on Thursday, 25 February 2010 13:53:16 UTC
This archive was generated by hypermail 2.4.0 : Sunday, 10 October 2021 22:17:53 UTC