[whatwg] "Content-Disposition" property for <a> tags

Michal Zalewski lcamtuf at coredump.cx
Sat Apr 30 11:54:16 PDT 2011


> Maybe a bit more contriving could come up with a more plausible example.

My concern is a bit more straightforward. To use a practical example:
just because a social networking site allows nearly arbitrary JPEG
files to be uploaded and served as profile pictures (Content-Type:
image/jpeg) does not mean that the applications wants users to be
offered that content as a download named Security_Update.exe,
supposedly coming from that trusted site.

(It is usually not difficult to construct documents that are both a
valid image and a valid executable.)

But yes, there are probably also potential interactions with
whitelisted domains, especially given that the whitelist-based
capabilities are expanding rapidly.

/mz



More information about the whatwg mailing list