[whatwg] Priority between <a download> and content-disposition
Glenn Maynard
glenn at zewt.org
Mon Mar 18 07:50:19 PDT 2013
On Mon, Mar 18, 2013 at 9:30 AM, Michal Zalewski <lcamtuf at coredump.cx>wrote:
> I think I raised this on several other threads; in essence, countless
> websites permit users to upload constrained file formats, such as
> JPEGs or GIFs used as profile images. With content sniffing attacks,
> we've already seen that it's relatively trivial for attacker to make
> files that are both valid images, and also pretend to be some other,
> more dangerous file format.
Because many browsers prominently display the origin of a download and
> it's the only security indicators users really have, I think it's
> harmful to permit something like:
>
> <a href='http://www.facebook.com/.../user_profile_image.jpg'
> download='important_facebook_update.exe'>
>
Downloads are associated with the site the link is on, not the domain the
resource is served from. If users click a download link and the file comes
from s3.amazonaws.com, they didn't come from Amazon; they came from your
page.
The origin of downloads should probably not be displayed in a prominent
location, since to typical users it's useless and potentially misleading;
it should be hidden in something like a "details" button.
--
Glenn Maynard
More information about the whatwg
mailing list