On Fri, Aug 9, 2013 at 7:47 PM, Ian Hickson i...@hixie.ch wrote:
1) Content-Disposition: inline
[snip]
This seems unambiguous. Where's the problem?
2) Content-Disposition: inline; filename=B.txt
[snip]
Again, this seems unambiguous.
3) Content-Disposition: attachment;
On Sat, 16 Mar 2013, Jonas Sicking wrote:
It's currently unclear what to do if a page contains markup like a
href=page.txt download=A.txt if the resource at audio.wav responds
with either
(I'm assuming this is all on the same origin, that there is no script
changing the various attributes,
On Fri, Aug 9, 2013 at 3:53 PM, Ian Hickson i...@hixie.ch wrote:
On Sat, 16 Mar 2013, Jonas Sicking wrote:
It's currently unclear what to do if a page contains markup like a
href=page.txt download=A.txt if the resource at audio.wav responds
with either
(I'm assuming this is all on the same
On Fri, 9 Aug 2013, Jonas Sicking wrote:
On Fri, Aug 9, 2013 at 3:53 PM, Ian Hickson i...@hixie.ch wrote:
On Sat, 16 Mar 2013, Jonas Sicking wrote:
It's currently unclear what to do if a page contains markup like a
href=page.txt download=A.txt if the resource at audio.wav
responds
On Tue, May 7, 2013 at 10:18 PM, Boris Zbarsky bzbar...@mit.edu wrote:
On 5/7/13 5:54 PM, Gordon P. Hemsley wrote:
A @download attribute with a value would override both factors, like so:
(1) Download it.
(2) A.txt
Why?
You say this as if it were obvious, but it's not obvious to me at
On 5/8/13 6:53 AM, Gordon P. Hemsley wrote:
It's not clear to me which of the two factors you take issue with.
The question of which filename takes priority.
I interpret that first sentence to mean that the file should be
downloaded (disposition type = attachment) rather than displayed
On Wed, May 8, 2013 at 9:43 AM, Boris Zbarsky bzbar...@mit.edu wrote:
On 5/8/13 6:53 AM, Gordon P. Hemsley wrote:
It's not clear to me which of the two factors you take issue with.
The question of which filename takes priority.
The second sentence very clearly suggests
that A.txt would
On 5/8/13 10:45 AM, Gordon P. Hemsley wrote:
I still think @download takes priority.
The Content-Disposition header says, Nevermind what filename the URL
shows; this is really file B.txt.
The @download attribute says, Nevermind what filename this link would
normally be; let's just consider it
On Wed, May 8, 2013 at 12:01 PM, Boris Zbarsky bzbar...@mit.edu wrote:
On 5/8/13 10:45 AM, Gordon P. Hemsley wrote:
I still think @download takes priority.
The Content-Disposition header says, Nevermind what filename the URL
shows; this is really file B.txt.
The @download attribute says,
On 5/8/13 12:15 PM, Gordon P. Hemsley wrote:
Perhaps. But maybe I'm not clear on what exactly the alternate
proposal is. Are you suggesting not supporting the @download
attribute? Or just ignoring it when Content-Disposition specifies a
filename? (I would suggest that neither is the appropriate
On Wed, May 8, 2013 at 12:21 PM, Boris Zbarsky bzbar...@mit.edu wrote:
On 5/8/13 12:15 PM, Gordon P. Hemsley wrote:
Perhaps. But maybe I'm not clear on what exactly the alternate
proposal is. Are you suggesting not supporting the @download
attribute? Or just ignoring it when
On 5/8/13 12:37 PM, Gordon P. Hemsley wrote:
I understand now the motivation for this, but I would think that it
would remove a lot of the usefulness of the @download attribute
You're right, but we haven't found another mitigation for our security
concerns.
If you have the same origin, you
I realize this is an old thread, so apologies if this has already been
resolved. The discussion that originally followed seemed to have
gotten off track, so I wanted to try to clarify things.
First off, there are two factors to consider:
(1) Whether to download the file or display it.
(2) What
On 5/7/13 5:54 PM, Gordon P. Hemsley wrote:
A @download attribute with a value would override both factors, like so:
(1) Download it.
(2) A.txt
Why?
You say this as if it were obvious, but it's not obvious to me at all...
What's the reasoning that makes this the desirable behavior?
I
This is about how the Web works, not browser UIs. If I click a link on
www.computerviruses.com, and it prompts me to save a file to disk, I make my
decision of what to do with the file based on the context of the link I
clicked.
In my experience, the web is a lot more complicated than that.
On 2013-03-18 13:50, Bjoern Hoehrmann wrote:
* Jonas Sicking wrote:
It's currently unclear what to do if a page contains markup like a
href=page.txt download=A.txt if the resource at audio.wav
responds with either
1) Content-Disposition: inline
2) Content-Disposition: inline; filename=B.txt
3)
Roger Hågensen resca...@emsai.net schrieb am Tue, 19 Mar 2013
14:31:15 +0100:
[…]
What should be shown if there is an issue/conflict?
Maybe:
Download https://example.com/reports/1/xml/; as report1.xml ?
WARNING! File identified as actually being an executable! (*.exe)
At least here on
On 2013-03-19 15:31, Nils Dagsson Moskopp wrote:
Roger Hågensen resca...@emsai.net schrieb am Tue, 19 Mar 2013
14:31:15 +0100:
[…]
What should be shown if there is an issue/conflict?
Maybe:
Download https://example.com/reports/1/xml/; as report1.xml ?
WARNING! File identified as actually
On Tue, Mar 19, 2013 at 1:15 AM, Michal Zalewski lcam...@coredump.cxwrote:
This is about how the Web works, not browser UIs. If I click a link on
www.computerviruses.com, and it prompts me to save a file to disk, I
make my
decision of what to do with the file based on the context of the
On Mar 17, 2013 4:46 AM, Julian Reschke julian.resc...@gmx.de wrote:
On 2013-03-17 02:49, Jonas Sicking wrote:
It's currently unclear what to do if a page contains markup like a
href=page.txt download=A.txt if the resource at audio.wav
responds with either
1) Content-Disposition: inline
* Jonas Sicking wrote:
It's currently unclear what to do if a page contains markup like a
href=page.txt download=A.txt if the resource at audio.wav
responds with either
1) Content-Disposition: inline
2) Content-Disposition: inline; filename=B.txt
3) Content-Disposition: attachment; filename=B.txt
On Mon, Mar 18, 2013 at 7:50 AM, Bjoern Hoehrmann derhoe...@gmx.netwrote:
However I don't think we can expect people to indicate
Content-Disposition: inline in order to protect resources. Nor do I
think that simply using a different filename is going to meaningfully
protect downloaded
I think I raised this on several other threads; in essence, countless
websites permit users to upload constrained file formats, such as
JPEGs or GIFs used as profile images. With content sniffing attacks,
we've already seen that it's relatively trivial for attacker to make
files that are both
On Mon, Mar 18, 2013 at 9:30 AM, Michal Zalewski lcam...@coredump.cxwrote:
I think I raised this on several other threads; in essence, countless
websites permit users to upload constrained file formats, such as
JPEGs or GIFs used as profile images. With content sniffing attacks,
we've already
Downloads are associated with the site the link is on, not the domain the
resource is served from. If users click a download link and the file comes
from s3.amazonaws.com, they didn't come from Amazon; they came from your
page.
I don't believe that's the case in most browser UIs. In fact, I
From: lcam...@coredump.cx
Date: Mon, 18 Mar 2013 10:00:40 -0700
To: gl...@zewt.org
CC: wha...@whatwg.org; derhoe...@gmx.net; jo...@sicking.cc
Subject: Re: [whatwg] Priority between a download and content-disposition
Downloads are associated with the site the link is on, not the domain
On Mon, Mar 18, 2013 at 12:00 PM, Michal Zalewski lcam...@coredump.cxwrote:
Downloads are associated with the site the link is on, not the domain the
resource is served from. If users click a download link and the file
comes
from s3.amazonaws.com, they didn't come from Amazon; they came
On 2013-03-17 02:49, Jonas Sicking wrote:
It's currently unclear what to do if a page contains markup like a
href=page.txt download=A.txt if the resource at audio.wav
responds with either
1) Content-Disposition: inline
2) Content-Disposition: inline; filename=B.txt
3) Content-Disposition:
On Sun, Mar 17, 2013 at 6:46 AM, Julian Reschke julian.resc...@gmx.dewrote:
1) Content-Disposition: inline
2) Content-Disposition: inline; filename=B.txt
3) Content-Disposition: attachment; filename=B.txt
People generally seem to have a harder time with getting header data
right, than
It's currently unclear what to do if a page contains markup like a
href=page.txt download=A.txt if the resource at audio.wav
responds with either
1) Content-Disposition: inline
2) Content-Disposition: inline; filename=B.txt
3) Content-Disposition: attachment; filename=B.txt
People generally seem
30 matches
Mail list logo
