Download in Sandboxed Iframes (removed)

Sandboxed iframe can initiate or instantiate downloads. Chrome is planning on removing this capability - i.e. Chrome is going to block all downloads initiated from or instantiated in a sandboxed iframe by default. The embedder may add "allow-downloads" to the sandbox attributes list to opt in. This allows content providers to restrict malicious or abusive downloads.

Motivation

This allows content providers to restrict malicious or abusive downloads.

Documentation

Specification

Established standard

Status in Chromium

Blink


Removed (tracking bug) in:

  • Chrome for desktop release 83
  • Chrome for Android release 83

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • No signals

Owner

Comments

Downloads can bring security vulnerabilities to a system. Even though additional security checks are done in Chrome and the operating system, we feel blocking downloads in sandboxed iframes also fits the general thought behind the sandbox.

Search tags

download, sandbox, html,

Last updated on 2020-10-25