Sandboxed iframe can initiate or instantiate downloads. Chrome is planning on removing this capability - i.e. Chrome is going to block all downloads initiated from or instantiated in a sandboxed iframe by default. The embedder may add "allow-downloads" to the sandbox attributes list to opt in. This allows content providers to restrict malicious or abusive downloads.

Motivation

This allows content providers to restrict malicious or abusive downloads.

Documentation

Specification

Specification link


Unknown standards status - check spec link for status

Status in Chromium

Blink


Removed (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • No signals

Owner

Comments

Downloads can bring security vulnerabilities to a system. Even though additional security checks are done in Chrome and the operating system, we feel blocking downloads in sandboxed iframes also fits the general thought behind the sandbox.

Search tags

download, sandbox, html,

Last updated on 2021-09-08