[Webkit-unassigned] [Bug 64580] Add support for download='filename' in anchors
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 22 16:49:44 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=64580
--- Comment #53 from Darin Fisher (:fishd, Google) <fishd at chromium.org> 2011-07-22 16:49:44 PST ---
(In reply to comment #52)
> > I don't understand why this adds any kind of new "carpet bombing" vector. A web page can already trigger downloads automatically using a cooperative server. What am I missing?
>
> I think that your analysis is accurate. The difference is that this is a new feature, so it's super safe to prevent programmatic downloading here from the start, and look into changing regular link behavior as a more dangerous fix later.
You agree with me that being conservative here has no technical merits, and yet you prefer to be conservative? I'm not sure which analysis you are agreeing with :-)
> > If it is so important that there be a user gesture present, then what about
> > click jacking attacks?
>
> Is that something that can easily be prevented from the start? Otherwise, that may be a problem to think about in the future as the HTML5 platform matures.
I don't see how to avoid it. Clearly the page can be moving an anchor tag around, with the intention of tricking the user into clicking on the anchor tag accidentally. If we think we are protecting something by requiring a real user click on an anchor tag to authorize something, then we are mistaken. There are many things in HTML that were invented without considering click-jacking attacks.
> As a possibly obvious comment, I'm not talking about a user gesture being present - if that were the requirement, then a page could click() any number of links when handling a click on text content, for example. It should be an actual difference between real and synthetic events.
Yeah, sorry for introducing confusion there. There's not a big difference really. Though with click-jacking you can only get a single anchor tag to be clicked, as opposed to many, if the goal is to prevent @download from triggering a download without the user's intent, then the HTML spec doesn't achieve that goal.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list