Feature: Download in Sandboxed Iframes
(removed)
Sandboxed iframe can initiate or instantiate downloads. Chrome is planning on removing this capability - i.e. Chrome is going to block all downloads initiated from or instantiated in a sandboxed iframe by default. The embedder may add "allow-downloads" to the sandbox attributes list to opt in. This allows content providers to restrict malicious or abusive downloads.
Motivation
This allows content providers to restrict malicious or abusive downloads.
Documentation
Specification
Status in Chromium
Removed (tracking bug) in:
- Chrome for desktop release 83
- Chrome for Android release 83
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
- No signal
- No signal
- No signal
- No signals
Owner
Search tags
download, sandbox, html,Last updated on 2021-01-04
Comments
Downloads can bring security vulnerabilities to a system. Even though additional security checks are done in Chrome and the operating system, we feel blocking downloads in sandboxed iframes also fits the general thought behind the sandbox.