[whatwg] "Content-Disposition" property for <a> tags

Glenn Maynard glenn at zewt.org
Thu Jun 2 11:18:44 PDT 2011


I don't think the issue raised was about getting people to save files,
though.  If you can get someone to click a link, you can already point
them at something that sets the HTTP C-D header.

As I recall, the concern was about getting people to do this on files
that appear to be from a trusted domain.  That is, evil.com linking to
a perl script on trusted.com (or, say, a dual-mode image/ELF file),
setting C-D in the link to get it to save-as, perhaps hoping that
people will see "from: http://trusted.com" in the save-as dialog.  (I
doubt that most users look at that at all; Chrome doesn't even seem to
bother displaying it.)

At worst, it just seems like a minor UI design issue.

-- 
Glenn Maynard



More information about the whatwg mailing list