[whatwg] "Content-Disposition" property for <a> tags
Boris Zbarsky
bzbarsky at MIT.EDU
Sun May 1 09:56:32 PDT 2011
On 4/30/11 2:24 PM, Michal Zalewski wrote:
> Note that somewhat counterintuitively, there would be some security
> concerns with markup-level content disposition controls (or any JS
> equivalent). For example, consider evil.com doing this:
>
> <a href='http://example.com/user_content/harmless_text_file.txt'
> disposition='attachment; filename="Important_Security_Update.exe"'>
At least in the case of Firefox for that particular case on Windows the
filename will be sanitized...
But yes, there are other situations where things could be more problematic.
-Boris
More information about the whatwg
mailing list