Normally when we download any file then browser retreives the download file name using the filename from URI or using the filename in Content-Disposition Header

Assume if filename in Content-Disposition header is empty then browser uses the filename from URI. But this can be tricked as mentioned in below POC by making use of ? operator

Steps to Reproduce:

1) We assume that https://google.com/a.txt contains a text file with below content 
<script>alert("I should be a text file")</script>
2) Access https://google.com/a.txt in Chrome Browser while intercepting request in HTTP Interceptor say Burp Suite
3) Wait until you see a response for above request. Since this file does not exist you will see a 404 not found
4) Just change the response to below to simulate a file
HTTP/1.1 200 OK
Content-Disposition: attachment; filename=""
Content-Type: text/html
Content-Length: 49

<script>alert("I should be a text file")</script>
5) Forward the request, you would see a.txt file getting downloaded which is correct
6) Access https://google.com/a.txt?downloads in Chrome Browser while intercepting request in HTTP Interceptor say Burp Suite
7) Wait until you see a response for above request. Since this file does not exist you will see a 404 not found
8) Just change the response to below to simulate a file
HTTP/1.1 200 OK
Content-Disposition: attachment; filename=""
Content-Type: text/html
Content-Length: 49

<script>alert("I should be a text file")</script>
9) Forward the request
10) Observe that Chrome downloaded a.html instead of a.txt which was not the intended file. If the client opens the downloaded file thinking of it as txt file then all malicious scripts executes.
11) This happens when user makes use of ? operator

**Version**
Version 60.0.3112.113 (Official Build) (64-bit)

**Risk**
Malicious file are represented as txt file. Since user trust txt file so they wont be having problem in running them.

**Recommendation**
Make sure file name are decided from URI and not through file content header