[whatwg] "Content-Disposition" property for <a> tags
Michal Zalewski
lcamtuf at coredump.cx
Sat Apr 30 11:54:16 PDT 2011
> Maybe a bit more contriving could come up with a more plausible example.
My concern is a bit more straightforward. To use a practical example:
just because a social networking site allows nearly arbitrary JPEG
files to be uploaded and served as profile pictures (Content-Type:
image/jpeg) does not mean that the applications wants users to be
offered that content as a download named Security_Update.exe,
supposedly coming from that trusted site.
(It is usually not difficult to construct documents that are both a
valid image and a valid executable.)
But yes, there are probably also potential interactions with
whitelisted domains, especially given that the whitelist-based
capabilities are expanding rapidly.
/mz
More information about the whatwg
mailing list