[Webkit-unassigned] [Bug 64580] Add support for download='filename' in anchors
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 22 16:39:31 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=64580
--- Comment #52 from Alexey Proskuryakov <ap at webkit.org> 2011-07-22 16:39:31 PST ---
> I don't understand why this adds any kind of new "carpet bombing" vector. A web page can already trigger downloads automatically using a cooperative server. What am I missing?
I think that your analysis is accurate. The difference is that this is a new feature, so it's super safe to prevent programmatic downloading here from the start, and look into changing regular link behavior as a more dangerous fix later.
> I really wonder why that was put in the spec. I don't see what problem that
> is solving that wouldn't already exist. Will we require there to be a user
> gesture active in order for someone to use the FileSaver API?
(1) I don't know the history of that, but I like that direction.
(2) Yes. I guess so?..
> If it is so important that there be a user gesture present, then what about
> click jacking attacks?
Is that something that can easily be prevented from the start? Otherwise, that may be a problem to think about in the future as the HTML5 platform matures.
As a possibly obvious comment, I'm not talking about a user gesture being present - if that were the requirement, then a page could click() any number of links when handling a click on text content, for example. It should be an actual difference between real and synthetic events.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list