[whatwg] "Content-Disposition" property for <a> tags

Glenn Maynard glenn at zewt.org
Sat Apr 30 12:07:45 PDT 2011


On Sat, Apr 30, 2011 at 2:54 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> My concern is a bit more straightforward. To use a practical example:
> just because a social networking site allows nearly arbitrary JPEG
> files to be uploaded and served as profile pictures (Content-Type:
> image/jpeg) does not mean that the applications wants users to be
> offered that content as a download named Security_Update.exe,
> supposedly coming from that trusted site.

So, it's not so much the security issue (the browser's job), but an
appearance-of-fault issue: the site not wanting to be blamed if the
browser fails at that job.

> But yes, there are probably also potential interactions with
> whitelisted domains, especially given that the whitelist-based
> capabilities are expanding rapidly.

That suggests that this should be added sooner rather than later, so
the concept of filenames for files on trusted domains being set by
untrusted domains is considered in the design of these capabilities,
rather than being bolted on later.

-- 
Glenn Maynard



More information about the whatwg mailing list