by "saving" the webpage (`file->save as`) instead of downloading it (which Safari automatically adds an extension for) I could force it to save it as `malicious_file` (with no extension).
大多数人认为浏览器的保存功能是安全的,会自动处理文件扩展名以确保文件类型正确。但作者发现,通过使用非标准的Content-Type和保存网页功能,可以绕过Safari的安全检查,保存任意扩展名的文件,这打破了人们对浏览器文件处理安全机制的普遍认知。
I’d notice the network requests going out!Where would you notice them? My code won’t send anything when the DevTools are open (yes even if un-docked).I call this the Heisenberg Manoeuvre: by trying to observe the behaviour of my code, you change the behaviour of my code.
Think first: why do you want to use it in the browser? Remember, servers must never trust browsers. You can't sanitize HTML for saving on the server anywhere else but on the server.