[whatwg] "Content-Disposition" property for <a> tags
bzbarsky at MIT.EDU
Sun May 1 09:56:32 PDT 2011
On 4/30/11 2:24 PM, Michal Zalewski wrote:
> Note that somewhat counterintuitively, there would be some security
> concerns with markup-level content disposition controls (or any JS
> equivalent). For example, consider evil.com doing this:
> <a href='http://example.com/user_content/harmless_text_file.txt'
> disposition='attachment; filename="Important_Security_Update.exe"'>
At least in the case of Firefox for that particular case on Windows the
filename will be sanitized...
But yes, there are other situations where things could be more problematic.
More information about the whatwg