[whatwg] Priority between <a download> and content-disposition

Bjoern Hoehrmann derhoermi at gmx.net
Mon Mar 18 05:50:24 PDT 2013

* Jonas Sicking wrote:
>It's currently unclear what to do if a page contains markup like <a
>href="page.txt" download="A.txt"> if the resource at audio.wav
>responds with either
>1) Content-Disposition: inline
>2) Content-Disposition: inline; filename="B.txt"
>3) Content-Disposition: attachment; filename="B.txt"
>People generally seem to have a harder time with getting header data
>right, than getting markup right, and so I think that in all cases we
>should display the "save as" dialog (or display equivalent download
>UI) and suggest the filename "A.txt".

You mention `audio.wav` but that is not part of your example. Also note
that there are all manners of other things web browsers need to take in-
to account when deciding on download file names, you might not want to
e.g. suggest using "desktop.ini", "autorun.inf" or "prn" to the user.

That aside, it seems clear to me that when the linking context says to
download, then that is what a browser should do, much as it would when
the user manually selects a "download" context menu option. In contrast,
when the server says filename="example.xpi" then the browser should pick
that name instead of allowing overrides like

  <a href='example.xpi' download='example.zip' ...>...

which would cause a lot of headache, especially from third parties. And
allowing such overrides in "same-origin" scenarios seems useless and is
asking for trouble ("download filenames broken after moving to CDN").

>However I don't think we can expect people to indicate
>"Content-Disposition: inline" in order to protect resources. Nor do I
>think that simply using a different filename is going to meaningfully
>protect downloaded content. So I think a stronger UI warning is needed
>in this scenario.

I am not sure what you are referring to here, could you elaborate?
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

More information about the whatwg mailing list