[whatwg] Priority between <a download> and content-disposition

Michal Zalewski lcamtuf at coredump.cx
Mon Mar 18 07:30:23 PDT 2013


I think I raised this on several other threads; in essence, countless
websites permit users to upload constrained file formats, such as
JPEGs or GIFs used as profile images. With content sniffing attacks,
we've already seen that it's relatively trivial for attacker to make
files that are both valid images, and also pretend to be some other,
more dangerous file format.

Because many browsers prominently display the origin of a download and
it's the only security indicators users really have, I think it's
harmful to permit something like:

<a href='http://www.facebook.com/.../user_profile_image.jpg'
download='important_facebook_update.exe'>

In fact, given the security problems it creates and the fact that they
will be difficult to fully mitigate without establishing some sort of
a new 'opt-out' mechanism akin to X-Content-Type-Options (to which
most of the Internet will remain oblivious), I'm not entirely sure if
the value of download= (which seems dubious, TBH) justifies the risk.

/mz



More information about the whatwg mailing list