[whatwg] "Content-Disposition" property for <a> tags

Boris Zbarsky bzbarsky at MIT.EDU
Sun May 1 09:56:32 PDT 2011


On 4/30/11 2:24 PM, Michal Zalewski wrote:
> Note that somewhat counterintuitively, there would be some security
> concerns with markup-level content disposition controls (or any JS
> equivalent). For example, consider evil.com doing this:
>
> <a href='http://example.com/user_content/harmless_text_file.txt'
> disposition='attachment; filename="Important_Security_Update.exe"'>

At least in the case of Firefox for that particular case on Windows the 
filename will be sanitized...

But yes, there are other situations where things could be more problematic.

-Boris


More information about the whatwg mailing list