[whatwg] Priority between <a download> and content-disposition

Gordon P. Hemsley gphemsley at gmail.com
Wed May 8 09:15:42 PDT 2013

On Wed, May 8, 2013 at 12:01 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 5/8/13 10:45 AM, Gordon P. Hemsley wrote:
>> I still think @download takes priority.
>> The Content-Disposition header says, "Nevermind what filename the URL
>> shows; this is really file B.txt."
>> The @download attribute says, "Nevermind what filename this link would
>> normally be; let's just consider it A.txt."
> OK, that's at least a reasonable argument for the behavior.  ;)
>> That seems like quite a sophisticated attack that relies on a lot of
>> things falling into place all at once.
> Uh... yes.  Like most browser exploits.

Perhaps. But maybe I'm not clear on what exactly the alternate
proposal is. Are you suggesting not supporting the @download
attribute? Or just ignoring it when Content-Disposition specifies a
filename? (I would suggest that neither is the appropriate response.)

>> Then I think it is the responsibility of the UA to sniff the file and
>> protect the user from such attempts to mislead.
> This is not trivial, since sniffing can easily fail on files that are both
> HTML and png or both HTML and exe at the same time.  There's a good bit of
> research on things like this.

Yes, and that research has already gone into creating the mimesniff
standard, has it not? I'm suggesting use the existing algoirthm(s) in
an additional arena, not creating a new, separate algorithm.

If a file from an image sharing site is served as (or determined to
be, via the sniffing algorithms) image/png, for example, then the UA
should suggest a filename with a .png extension, ignoring any
suggestion by the author for a .exe extension. (Whether you want to
change it to "A.png" or "A.exe.png" is debatable, I suppose.)

>> I'm not sure I have the resources to do extensive real-world testing
>> of this (and that documentation suggests it has been superseded in
>> more modern OSes), but I don't think it would be unreasonable for the
>> UA to override or augment the filename suggested by the @download
>> attribute it if determines that it would not be in the best interest
>> of the user to use the suggested filename unchanged.
> Phrased that way, using the Content-Disposition filename is a perfectly
> valid "override if not in the best interest of the user" behavior, fwiw.
> -Boris

True. But doesn't that imply a rejection of my aforementioned
"reasonable argument"?

Gordon P. Hemsley
me at gphemsley.org

More information about the whatwg mailing list