[whatwg] Priority between <a download> and content-disposition

Boris Zbarsky bzbarsky at MIT.EDU
Wed May 8 10:37:15 PDT 2013


On 5/8/13 12:37 PM, Gordon P. Hemsley wrote:
> I understand now the motivation for this, but I would think that it
> would remove a lot of the usefulness of the @download attribute

You're right, but we haven't found another mitigation for our security 
concerns.

> If you have the same origin, you probably already have access to (a) name
> the file appropriately in the first place, or (b) set the
> Content-Disposition header to send the appropriate filename. No?

For files, not for things like data: and blob:, which were the primary 
motivation for @download.

That said, there are lots of cases in which someone can upload files but 
not pick the filename on the server or control the headers...

> I'm not so sure about that, but I'll leave it to someone else to
> argue. (If you determine a file to be a PNG, then you suggest a .png
> extension, regardless of whether there might be an embedded
> executable; if you don't support the file format, then how do you know
> that it isn't supposed to be an executable in the first place? —and
> what is it doing on the Web?)

I assume that last question is a joke, yes?  ;)

-Boris



More information about the whatwg mailing list