[whatwg] "Content-Disposition" property for <a> tags

Glenn Maynard glenn at zewt.org
Sat Apr 30 11:45:26 PDT 2011


On Sat, Apr 30, 2011 at 2:24 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> Note that somewhat counterintuitively, there would be some security
> concerns with markup-level content disposition controls (or any JS
> equivalent). For example, consider evil.com doing this:
>
> <a href='http://example.com/user_content/harmless_text_file.txt'
> disposition='attachment; filename="Important_Security_Update.exe"'>

To do some contriving, in trying to follow the example: if example.com
is a site trusted by the user or administrator, it may be flagged in
the browser as "always allow saving sensitive file types from this
site".  If you can override the C-D header remotely, and if there
exists (for example) a text file whose contents happen to alias to a
dangerous executable, then you could cause a dangerous executable to
be saved to disk.  Browsers might need a mechanism to remember whether
the effective Content-Disposition header is "trusted" (received from
the response, or overridden from the same origin) or not, which is
sort of annoying.

Maybe a bit more contriving could come up with a more plausible example.

> Downloading files in general is a very problematic area, because
> there's a very fragile transition between HTTP MIME type and
> filesystem extension or other OS-level content determination
> mechanism. Many browsers either don't try to do anything useful to
> prevent weird "promotions" from safe to unsafe document types; or
> enforce decidedly imperfect logic. Allowing attackers to further
> control this process has some risks.

It's also a very important area for web apps, and one that's currently
lacking, so I do think it's worth the work.

-- 
Glenn Maynard



More information about the whatwg mailing list