[whatwg] Priority between <a download> and content-disposition

Glenn Maynard glenn at zewt.org
Mon Mar 18 16:38:27 PDT 2013

On Mon, Mar 18, 2013 at 12:00 PM, Michal Zalewski <lcamtuf at coredump.cx>wrote:

> > Downloads are associated with the site the link is on, not the domain the
> > resource is served from.  If users click a download link and the file
> comes
> > from s3.amazonaws.com, they didn't come from Amazon; they came from your
> > page.
> I don't believe that's the case in most browser UIs.

This is about how the Web works, not browser UIs.  If I click a link on
www.computerviruses.com, and it prompts me to save a file to disk, I make
my decision of what to do with the file based on the context of the link I
clicked.  The host serving the file is irrelevant.  Anybody can host a
hostile file on amazonaws.com or any number of hosts which may sound
"safe"; the endorsement of whether a file is safe comes from how and where
it's linked, not where it's hosted.

In fact, I don't
> think it should be. For example, if I search for something on
> google.com, and this takes me a page that serves Content-Disposition:
> attachment; filename="impotant_google_update.exe", we don't want to
> imply that Google endorsed that, right?

The point isn't that browsers should have a big UI showing the page where
you clicked the link.  The point is that links are judged based on whether
you trust the site linking the file, and whether the page endorses the link
(which search results don't).

Glenn Maynard

More information about the whatwg mailing list