New issue
Advanced search Search tips

Issue 179825 link

Starred by 5 users

Issue metadata

Status: Available
Owner: ----
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug

issue 68198

Sign in to add a comment

Content-Disposition parameter filename parameter single quotes handled incorrectly

Reported by, Mar 4 2013

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22

Example URL:

Steps to reproduce the problem:
1. Visit
2. Run the test

What is the expected behavior?
"''" should be offered to save.

What went wrong?
The single quotes were removed.

Did this work before? N/A 

Chrome version: 25.0.1364.97  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)

Chrome is the only major UA do do this
Labels: Feature-Downloads
Blocking: chromium:68198
Project Member

Comment 3 by, Mar 10 2013

Labels: -Internals-Network -Feature-Downloads Cr-Internals-Network Cr-UI-Browser-Downloads

Comment 4 by, May 15 2013

Labels: -Pri-2 Pri-3
Status: Available
a[download] will allow "''", so it doesn't seem intentional for Content-Disposition to strip the single quotes:
data:text/html,<a download="''" href="data:application/octet-stream,">hello</a>
I had observed similar issue : when i tried to apply method to an anchor tag, the single quotes in the method parameters were removed in chrome.
Project Member

Comment 7 by, Jun 14 2016

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been available for more than 365 days, and should be re-evaluated. Hotlist-Recharge-Cold label is added for tracking. Please re-triage this issue.

For more details visit - Your friendly Sheriffbot
The blocking  bug 68198  is marked as WontFix. Is this something that we still want?

Comment 9 by, Jun 15 2016

Labels: Hotlist-GoodFirstBug
Status: Available (was: Untriaged)
The blocking bug is a grouping issue. It's something we'd like to have. I've added the GoodFirstBug flag since the implementation should be fairly simple.
Components: -Internals>Network
Removing internals>network. While the implementation is in //net, it doesn't need to consume any of network stack's time.
Project Member

Comment 11 by, Jun 16 2017

Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit - Your friendly Sheriffbot
Status: Available (was: Untriaged)
Project Member

Comment 14 by, Oct 25

The following revision refers to this bug:

commit 7913a74b0e22d99c3425dcea22e68783919a9667
Author: Matt Menke <>
Date: Thu Oct 25 17:14:13 2018

Header parser:  Don't allow single quotes.

No HTTP header specs allow single quotes to be used instead of double
quotes, so this CL better aligns Chrome with the spec.

Testing current behavior, using
FireFox doesn't support single quotes, but Chrome and Edge do.

Bug:  896233 , 179825
Change-Id: I29f034180d3dec06d767e6dff0ce938f48e47147
Reviewed-by: Min Qin <>
Reviewed-by: Peter Beverloo <>
Reviewed-by: Asanka Herath <>
Commit-Queue: Matt Menke <>
Cr-Commit-Position: refs/heads/master@{#602768}

Sign in to add a comment