[whatwg] Priority between <a download> and content-disposition

[Jonas Sicking]

It's currently unclear what to do if a page contains markup like <a
href="page.txt" download="A.txt"> if the resource at audio.wav
responds with either

1) Content-Disposition: inline
2) Content-Disposition: inline; filename="B.txt"
3) Content-Disposition: attachment; filename="B.txt"

People generally seem to have a harder time with getting header data
right, than getting markup right, and so I think that in all cases we
should display the "save as" dialog (or display equivalent download
UI) and suggest the filename "A.txt".

The spec is currently defining something else at least for 3.

Potentially there are reasons to do something different in the case
when the linked resource lives off of a different origin since in that
case there might be security reasons to use the filename or
disposition of the server that is actually serving up the content.
However I don't think we can expect people to indicate
"Content-Disposition: inline" in order to protect resources. Nor do I
think that simply using a different filename is going to meaningfully
protect downloaded content. So I think a stronger UI warning is needed
in this scenario.

Firefox currently doesn't support cross-origin @download references,
so I don't have any meaningful implementation experience to share
regarding that scenario.

/ Jonas