To avoid what is essentially user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.

Documentation

Specification

De-facto standard

Status in Chromium

Blink>SecurityFeature


Enabled by default (tracking bug) in:

  • Chrome for desktop release 65
  • Chrome for Android release 65
  • Android WebView release 65

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Shipped/Shipping
  • No signal
  • Shipped/Shipping
  • No signals

Owner

Comments

Safari and Firefox already implement the desired behavior. Edge tries to mitigate the impact of cross origin downloads by changing the file extension.

Last updated on 2020-11-09