[whatwg] Priority between <a download> and content-disposition

Boris Zbarsky bzbarsky at MIT.EDU
Tue May 7 19:18:38 PDT 2013

On 5/7/13 5:54 PM, Gordon P. Hemsley wrote:
> A @download attribute with a value would override both factors, like so:
> (1) Download it.
> (2) "A.txt"


You say this as if it were obvious, but it's not obvious to me at all... 
  What's the reasoning that makes this the desirable behavior?

> I don't see what the security concerns might be: There is no
> difference here than what is already available

There is if you allow cross-origin @download.

There is if you allow untrusted markup on your server and don't sanitize 
away @download (should it be sanitized away?  Unclear).

> AFAICT, there are no content
> sniffing or cross-domain issues at play.

But there are; see above.

> results when saving a file; they don't do any file extension vs. file
> format checking.

Uh... that depends on exactly how you save and your OS.  Browsers 
commonly do file extension vs MIME type checking on Windows.  Behavior 
on other OSes varies, and varies across browsers.


More information about the whatwg mailing list