[whatwg] a rel=attachment

Glenn Maynard glenn at zewt.org
Thu Jul 14 13:53:19 PDT 2011

2011/7/14 Darin Fisher <darin at chromium.org>

> I know that there is also a proposal to add a FileSaver API.  I like that
> as well, _but_ it is very nice to be able to simply decorate an anchor tag.
>  In many cases, that will be a lot simpler for developers than using
> JavaScript to construct a FileSaver.  I think it makes sense to implement
> both.

FileSaver is useful in its own right, but it's not a great fit for this.

That reminds me of something download=filename can't do: assign a filename
while leaving it inline, so "save as" and other operations can have a
specified filename.  That would require two separate properties.  One case
I've come across is <img>, where I want to display an image, but provide a
different filename for save-as.  Separating the filename would allow this to
be applied generically both links and inline resources: <img
src=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15.jpg filename=picture.jpg>.

In that case, rel=enclosure would probably make sense.

On the other thread, Michal Zalewski raised a concern about giving
> client-side JS the power to name files.

That subthread just seemed to be asking whether browsers should implement
Content-Disposition, which didn't seem relevant--they already have, for

Separately, there was a security question raised about the ability to serve
a file off of a third-party site with a different filename than was
intended.  For example, uploading a file which is both an executable trojan
and a valid JPEG to an image hosting site, and linking to it externally,
overriding its filename to .EXE.  The question there isn't about being able
to serve executables--you can always do that--but being able to serve
executables that appear to be from the image hosting site.  Arguably, it
could 1: cause users to trust the file because it appears to be from a site
they recognize, or 2: cause the site to be blamed for the trojan.

I mention it so people don't have to scour the previous threads for it, but
I think it's uncompelling.  It just seems like something UI designers would
need to take into consideration.  (In my opinion, the trust and blame for
saving a file to disk should be applied to the host *linking* the file, and
not from the site hosting the file, which makes the above irrelevant.)

Glenn Maynard

More information about the whatwg mailing list