Block cross-origin <a download>

To avoid what is essentially user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.


Safari and Firefox already implement the desired behavior. Edge tries to mitigate the impact of cross origin downloads by changing the file extension.



De-facto standard

Status in Chromium

Enabled by default (launch bug) in:

  • Chrome for desktop release 61
  • Chrome for Android release 61
  • Android WebView release 61
  • Opera release 48
  • Opera for Android release 48

Consensus & Standardization

  • Shipped
  • No public signals
  • Shipped
  • No signals


Last updated on 2017-05-26