[whatwg] a rel=attachment

Alexey Proskuryakov ap at webkit.org
Mon Jul 18 08:58:35 PDT 2011


17.07.2011, в 21:05, Adam Barth написал(а):

> In summary, using CORS for this purpose is costly (both to
> implementors and to authors), and I don't think it solves a real
> security problem.


Agreed. This feature basically gives authors two abilities: (1) force downloading of resources that would be displayed inline otherwise, and (2) rename them on the fly. Neither is what a site operator adding CORS headers e.g. for WebGL textures would think they're allowing.

A different scenario which I don't think has been discussed in this thread is bypassing a hosting service security settings. Consider a highly reputable hosting that doesn't let you upload executable files (or maybe just scans those for malware if uploaded). With @download, one could bypass that, and make users download or even run an .EXE file by following an innocuous link to a well known domain. This kind of download could be same origin or cross origin.

Perhaps an author who has not been given permission to change server HTTP responses is not trusted enough to change them via HTML either. 

- WBR, Alexey Proskuryakov



More information about the whatwg mailing list