HTML Anchor element's activation behavior does not take user action into account
Reported by
dch...@gmail.com,
Sep 24 2016
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Steps to reproduce the problem: 1. Go to http://jsfiddle.net/cW7W5/1573/ What is the expected behavior? It should not download the file as per: - https://html.spec.whatwg.org/#the-a-element:triggered-by-user-activation (step 2) Firefox does not download the file. What went wrong? Chrome downloads the file even though there is no user interaction or consent. Did this work before? Yes When the download attribute was not supported. Chrome version: 53.0.2785.116 Channel: stable OS Version: OS X 10.12.1 Flash Version: Shockwave Flash 23.0 r0
,
Sep 25 2016
working on this issue
,
Sep 26 2016
Yeah. Not a security bug. A web page is allowed to initiate a single download via script or otherwise without a user interaction. Agree with #1 that this is a compliance issue.
,
Sep 26 2016
Does this issue also apply to a JS-generated 'click' event? If so then we should probably be restricting the download behavior to just trusted click events. We could explicitly test for the presence of a UserGestureIndicator but it would probably be better to rely on explicit isTrusted if it's present. +dtapuska who's the expert about that. But +1 that this isn't a security issue. Eg. the site can also set window.top.location to some URL which sets the right headers to force a download.
,
Sep 26 2016
FYI, ignoring the click if !event.isTrusted is what we do in WebKit.
,
Sep 26 2016
Ya we can likley do this as well. Should be a trival change https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/HTMLAnchorElement.cpp?sq=package:chromium&rcl=1474903310&l=428
,
Sep 27 2016
FYI, there is a WIP CL: https://codereview.chromium.org/2371573002/ (jhwon0415 is working on this.)
,
Sep 28 2016
There's some web compat risk here of breaking existing sites, but given that Firefox and WebKit already behave this way I think the risk is minimal and I'm OK treating this as just a bugfix. But if, after landing, we get reports of this change breaking some real-world sites then we'll probably want to revert and treat this as an "intent to remove" (adding a UseCounter, etc.). But like I said, I think the risk is low.
,
Sep 28 2016
Although WebKit currently behaves this way (ignores untrusted events), we have not shipped the download attribute support in Safari yet so we don't know about web compatibility risks yet. However, shipping Firefox seems to behave this way already so I would agree the risk is hopefully low.
,
Sep 30 2016
There may be some Web compatibility issue if relying solely on event.isTrusted. See https://bugs.webkit.org/show_bug.cgi?id=156056#c3. This apparently breaks https://eligrey.com/demos/FileSaver.js/
,
Oct 7 2016
,
Nov 1 2017
,
Nov 1 2017
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by elawrence@chromium.org
, Sep 24 2016Components: UI>Browser>Downloads
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Untriaged (was: Unconfirmed)
Summary: Download attribute on anchor allows download without user interaction (was: download attribute on anchor elements allows download of files without user interaction)