[sammax]

> I found another browser trick that lets force-downloaded TXT files to be opened without user interaction or warning

I wish there was more elaboration on this. Opening a downloaded file without user interaction sounds pretty bad.

[TazeTSchnitzel]

That is Safari's default behaviour for ZIP files. Only to extract them, though.

[sammax]

So whenever the program used for extracting ZIPs has a vulnerability any website could force-download a malicious ZIP and it would automatically be extracted and trigger the vulnerability...

Why is "force-download" even a thing? IMO the browser should always ask before downloading any file. Though this is not a unique Mac thing, I believe Chrome does that everywhere.

[dividuum]

What happens with 42.zip and other zip bombs? https://www.bamsoftware.com/hacks/zipbomb/

[kergonath]

Still a terrible idea, though.