[whatwg] "Content-Disposition" property for <a> tags

Michal Zalewski lcamtuf at coredump.cx
Sat Apr 30 11:24:11 PDT 2011


Note that somewhat counterintuitively, there would be some security
concerns with markup-level content disposition controls (or any JS
equivalent). For example, consider evil.com doing this:

<a href='http://example.com/user_content/harmless_text_file.txt'
disposition='attachment; filename="Important_Security_Update.exe"'>

Downloading files in general is a very problematic area, because
there's a very fragile transition between HTTP MIME type and
filesystem extension or other OS-level content determination
mechanism. Many browsers either don't try to do anything useful to
prevent weird "promotions" from safe to unsafe document types; or
enforce decidedly imperfect logic. Allowing attackers to further
control this process has some risks.

[ This is further compounded by the fact that in many cases, it is
safer for users to open certain document types, HTML included, from
http: URLs than from file:. ]

/mz


More information about the whatwg mailing list