[Webkit-unassigned] [Bug 64580] Add support for download='filename' in anchors

Fri Jul 22 16:02:21 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=64580

--- Comment #51 from Darin Fisher (:fishd, Google) <fishd at chromium.org>  2011-07-22 16:02:21 PST ---
(In reply to comment #50)
> I'm worried about Safari carpet bombing (e.g. <http://blogs.pcmag.com/securitywatch/2008/05/safari_carpet_bombing.php>).

I don't understand why this adds any kind of new "carpet bombing" vector.  A web page can already trigger downloads automatically using a cooperative server.  What am I missing?

> If my reading is correct, HTML5 says that synthetic events shouldn't work with links:

I think your reading of the spec is correct.  I would actually quote the 'activation behavior' section of a elements:

  If the click event in question is not trusted (i.e. a click() method call
  was the reason for the event being dispatched), and either the a element
  has a download attribute or the element's target attribute is present and
  applying the rules for choosing a browsing context given a browsing context
  name, using the value of the target attribute as the browsing context name,
  would result in there not being a chosen browsing context, then raise an
  INVALID_ACCESS_ERR exception and abort these steps.

^^^ We can extract the following from the above text:

  If the click event in question is not trusted, and [...] the a element
  has a download attribute [...], then raise an INVALID_ACCESS_ERR exception
  and abort these steps.

I really wonder why that was put in the spec.  I don't see what problem that
is solving that wouldn't already exist.  Will we require there to be a user
gesture active in order for someone to use the FileSaver API?

If it is so important that there be a user gesture present, then what about
click jacking attacks?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.