Block cross-origin <a download>

To avoid what is essentially user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.

Comments

Safari and Firefox already implement the desired behavior. Edge tries to mitigate the impact of cross origin downloads by changing the file extension.

Documentation

Specification

De-facto standard

Status in Chromium

Blink


In development (launch bug)

Consensus & Standardization

  • Shipped
  • No public signals
  • Shipped
  • No signals

Owner

Last updated on 2017-06-20