On Thu, Jul 21, 2011 at 11:58 PM, Ian Hickson <[email protected]> wrote: > Is there any reason to use CORS here at all? It seems like the simpler > solution would be the following: > > - If download="" is set, then by default trigger a download rather than a > navigation action. (User can override via context menu.) > - Pick a filename for the download as follows: > - if the received resource has a Content-Disposition: attachment header > that specifies a filename, use that. > - otherwise, if the received resource has a Content-Disposition header > that specifies a filename, and the resource is same-origin, use that > filename. > - otherwise, if the received resource is same-origin and the > download="" attribute specifies a filename, use that. > - otherwise, if the received resource has a Content-Disposition: > attachment header and the download="" attribute specifies a filename, > use the filename from the attribute. > - otherwise, if the received resource is same-origin then derive a > filename from the resource. > - otherwise, either abort or alert the user that a file is being > downloaded from a different origin and prompt for a filename. > - If a mapping from the MIME type to an extension is known, but the > filename doesn't have that extension, add it. > > This is what I've used for now (modulo some allowances for user > interfaces), but I welcome suggests for changing this.
The "otherwise, either abort or alert the user that a file is being downloaded from a different origin and prompt for a filename" step seems to allow to *very* different browser behaviors, resulting in a site working in one browser, but not in another. I'm still trying to find a date when we can do a security review about this in mozilla though. It still does seem very strange to me that a bank site which sends "cache-control: no-store" for a resource in order to prevent it from being temporarily stored on the users hard drive, can still end up being *permanently* stored on a users hard drive. All that's needed is for the user to click a 'yes' button on a download dialog while watching a seemingly harmless site. / Jonas
