[whatwg] Priority between <a download> and content-disposition
bzbarsky at MIT.EDU
Tue May 7 19:18:38 PDT 2013
On 5/7/13 5:54 PM, Gordon P. Hemsley wrote:
> A @download attribute with a value would override both factors, like so:
> (1) Download it.
> (2) "A.txt"
You say this as if it were obvious, but it's not obvious to me at all...
What's the reasoning that makes this the desirable behavior?
> I don't see what the security concerns might be: There is no
> difference here than what is already available
There is if you allow cross-origin @download.
There is if you allow untrusted markup on your server and don't sanitize
away @download (should it be sanitized away? Unclear).
> AFAICT, there are no content
> sniffing or cross-domain issues at play.
But there are; see above.
> results when saving a file; they don't do any file extension vs. file
> format checking.
Uh... that depends on exactly how you save and your OS. Browsers
commonly do file extension vs MIME type checking on Windows. Behavior
on other OSes varies, and varies across browsers.
More information about the whatwg