[whatwg] Priority between <a download> and content-disposition

Glenn Maynard glenn at zewt.org
Mon Mar 18 07:50:19 PDT 2013

On Mon, Mar 18, 2013 at 9:30 AM, Michal Zalewski <lcamtuf at coredump.cx>wrote:

> I think I raised this on several other threads; in essence, countless
> websites permit users to upload constrained file formats, such as
> JPEGs or GIFs used as profile images. With content sniffing attacks,
> we've already seen that it's relatively trivial for attacker to make
> files that are both valid images, and also pretend to be some other,
> more dangerous file format.

Because many browsers prominently display the origin of a download and
> it's the only security indicators users really have, I think it's
> harmful to permit something like:

> <a href='http://www.facebook.com/.../user_profile_image.jpg'
> download='important_facebook_update.exe'>

Downloads are associated with the site the link is on, not the domain the
resource is served from.  If users click a download link and the file comes
from s3.amazonaws.com, they didn't come from Amazon; they came from your

The origin of downloads should probably not be displayed in a prominent
location, since to typical users it's useless and potentially misleading;
it should be hidden in something like a "details" button.

Glenn Maynard

More information about the whatwg mailing list