[whatwg] "Content-Disposition" property for <a> tags

Boris Zbarsky bzbarsky at MIT.EDU
Sun May 1 09:56:32 PDT 2011

On 4/30/11 2:24 PM, Michal Zalewski wrote:
> Note that somewhat counterintuitively, there would be some security
> concerns with markup-level content disposition controls (or any JS
> equivalent). For example, consider evil.com doing this:
> <a href='http://example.com/user_content/harmless_text_file.txt'
> disposition='attachment; filename="Important_Security_Update.exe"'>

At least in the case of Firefox for that particular case on Windows the 
filename will be sanitized...

But yes, there are other situations where things could be more problematic.


More information about the whatwg mailing list