[whatwg] "Content-Disposition" property for <a> tags
glenn at zewt.org
Thu Jun 2 11:18:44 PDT 2011
I don't think the issue raised was about getting people to save files,
though. If you can get someone to click a link, you can already point
them at something that sets the HTTP C-D header.
As I recall, the concern was about getting people to do this on files
that appear to be from a trusted domain. That is, evil.com linking to
a perl script on trusted.com (or, say, a dual-mode image/ELF file),
setting C-D in the link to get it to save-as, perhaps hoping that
people will see "from: http://trusted.com" in the save-as dialog. (I
doubt that most users look at that at all; Chrome doesn't even seem to
bother displaying it.)
At worst, it just seems like a minor UI design issue.
More information about the whatwg