On 5/7/13 5:54 PM, Gordon P. Hemsley wrote:
A @download attribute with a value would override both factors, like so:
(1) Download it.
(2) "A.txt"

Why?

You say this as if it were obvious, but it's not obvious to me at all... What's the reasoning that makes this the desirable behavior?

I don't see what the security concerns might be: There is no
difference here than what is already available

There is if you allow cross-origin @download.

There is if you allow untrusted markup on your server and don't sanitize away @download (should it be sanitized away? Unclear).

AFAICT, there are no content
sniffing or cross-domain issues at play.

But there are; see above.

results when saving a file; they don't do any file extension vs. file
format checking.

Uh... that depends on exactly how you save and your OS. Browsers commonly do file extension vs MIME type checking on Windows. Behavior on other OSes varies, and varies across browsers.

-Boris

Reply via email to