This is regarding the application/octet-stream
test here:
https://ios.browsr-tests.com/alt/downloads.php
The desktop versions of Chrome, Firefox, and Safari will download the file. Same for Chrome and Firefox on Android. But on iOS, all three browsers execute/interpret the file as if it were HTML, including the Javascript it contains.
My question: Is that okay?
I know that downloads ought to use Content-Disposition: attachment
, and this SO answer talks about not relying on Content-Type
. But... this still seems wrong.
There were CVEs for treating text/plain
as HTML (CVE-2010-1420, CVE-2013-5151). How is that really wrong but application/octet-stream
is okay?