The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aa36b98fa1c1df77968137cf73dd3244c4559a4e

commit aa36b98fa1c1df77968137cf73dd3244c4559a4e
Author: Jochen Eisinger <jochen@chromium.org>
Date: Sat May 20 09:04:29 2017

Drop the suggested name of downloads when initiator & resource origin differ

Compare https://html.spec.whatwg.org/#downloading-resources step 3-9.

BUG= 714373 
R=dtrainor@chromium.org

Change-Id: Iae9831c488fac56442ebf608203853da022fdf10
Reviewed-on: https://chromium-review.googlesource.com/509253
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#473428}
[modify] https://crrev.com/aa36b98fa1c1df77968137cf73dd3244c4559a4e/content/browser/download/download_request_core.cc
[modify] https://crrev.com/aa36b98fa1c1df77968137cf73dd3244c4559a4e/third_party/WebKit/LayoutTests/http/tests/security/anchor-download-block-crossorigin-expected.txt
[modify] https://crrev.com/aa36b98fa1c1df77968137cf73dd3244c4559a4e/third_party/WebKit/LayoutTests/http/tests/security/anchor-download-block-crossorigin.html
[modify] https://crrev.com/aa36b98fa1c1df77968137cf73dd3244c4559a4e/third_party/WebKit/Source/core/html/HTMLAnchorElement.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99a1d0db25c2b77ad42d216b2289e0bf67c69540

commit 99a1d0db25c2b77ad42d216b2289e0bf67c69540
Author: Jochen Eisinger <jochen@chromium.org>
Date: Fri May 26 14:16:45 2017

cross origin downloads w/o content disposition are dangerous

BUG= 714373 , 608669 
R=dtrainor@chromium.org

Change-Id: I170ad3a3bec4afe64897a16c98c25e8a152c15ed
Reviewed-on: https://chromium-review.googlesource.com/513923
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#475000}
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/download/download_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/download/download_browsertest.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/extensions/api/web_navigation/web_navigation_apitest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/loader/chrome_resource_dispatcher_host_delegate_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_create_info.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl_unittest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_request_core.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_stats.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/tools/metrics/histograms/enums.xml

It's M61 at this point

#1 - this might have caused  issue 730050  (downloaded data URLs do not get their file name from the download attribute).

This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge

removing the target milestone for the time being

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3deb65444b820ed0caf0f3c2c000e82c2ce8564d

commit 3deb65444b820ed0caf0f3c2c000e82c2ce8564d
Author: Jochen Eisinger <jochen@chromium.org>
Date: Sat Nov 11 15:48:15 2017

When cancelling parsing of a document, try to transition to completed

With browser side navigations, we might cancel parsing because a new
navigation started, which in turn might fail. In that case, the original
document should be in a defined state

BUG= 714373 
R=japhet@chromium.org

Change-Id: Idf09c46a2dde8ce1107d8c8d1d414e5fa06987da
Reviewed-on: https://chromium-review.googlesource.com/758998
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Nate Chapin <japhet@chromium.org>
Cr-Commit-Position: refs/heads/master@{#515842}
[modify] https://crrev.com/3deb65444b820ed0caf0f3c2c000e82c2ce8564d/third_party/WebKit/Source/core/loader/FrameLoader.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b

commit f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b
Author: Jochen Eisinger <jochen@chromium.org>
Date: Tue Jan 02 14:30:18 2018

Use navigation for <a download>

We pass the suggested filename along with the request and use that
as a signal that the navigation should result in a download.

The next step will be to ignore this hint for cross origin downloads,
so that only files with a content-disposition will end up being
downloaded.

Bug:  714373 , 797292 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo;master.tryserver.chromium.linux:linux_site_isolation
Change-Id: I508d7abe1cba9b75d65132b0688984cdebfc6fd4
Reviewed-on: https://chromium-review.googlesource.com/758236
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Jialiu Lin <jialiul@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Min Qin(OOO 12/7-1/10) <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#526475}
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/browser/apps/guest_view/web_view_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/browser/download/download_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/browser/extensions/api/web_navigation/web_navigation_apitest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/browser/safe_browsing/safe_browsing_navigation_observer_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/test/data/extensions/api_test/webnavigation/download/test_download.js
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/test/data/extensions/platform_apps/web_view/download/expect-allow.zip
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/test/data/extensions/platform_apps/web_view/download/expect-deny.zip
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/test/data/extensions/platform_apps/web_view/download/expect-ignore.zip
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/browser_side_navigation_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/devtools/devtools_url_interceptor_request_job.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/download_manager_impl.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/download_manager_impl.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/download_request_core.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/resource_downloader.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/resource_downloader.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/frame_host/navigation_request.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/mime_sniffing_resource_handler.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/navigation_url_loader_network_service.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/navigation_url_loader_network_service.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/navigation_url_loader_network_service_unittest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/navigation_url_loader_unittest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/resource_dispatcher_host_unittest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/resource_request_info_impl.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/resource_request_info_impl.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/common/navigation_params.mojom
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/public/test/navigation_simulator.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/shell/test_runner/test_runner.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/shell/test_runner/web_frame_test_client.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/test/data/download/download-attribute-blob.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/test/test_render_frame_host.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/editing/pasteboard/drag-files-to-editable-element-expected.txt
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/editing/pasteboard/drag-files-to-editable-element.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-area-element/area-download-click-expected.txt
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-area-element/area-download-click.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-area-element/resources/area-download-click.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/a-download-click-404-expected.txt
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/a-download-click-404.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/a-download-click-expected.txt
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/a-download-click.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/resources/a-download-click.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/fast/events/drag-file-crash.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/fast/events/resources/drag-file-crash-pass.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/http/tests/security/upgrade-insecure-requests/https-header-top-level.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/core/html/HTMLAnchorElement.cpp
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/platform/exported/WebURLRequest.cpp
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/platform/loader/fetch/ResourceRequest.cpp
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/platform/loader/fetch/ResourceRequest.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/public/platform/WebURLRequest.h

jochen@, r526475 breaks a lot of extensions/sites that offer to export their data via blob object URLs assigned to an anchor element's href, see the attached test.html and test2.html

Deleted: test.html 253 bytes

test.html 253 bytes View Download

Deleted: test2.html 307 bytes

test2.html 307 bytes View Download

r526475 also breaks FileSystem URLs obtained via window.webkitRequestFileSystem and its FileEntry#toURL which look like filesystem:chrome-extension://lfnlmiimoamfidmfgcfeenahdaoaehkc/temporary/foo.json

Firefox 52, 57, 59 handles test.html and test2.html correctly.
Just like Chrome before r526475, of course.

Currently I'm using a workaround when chrome version branch is greater than 3310:
it's possible to download data via object URLs for blobs inside a temporary iframe.

sorry about that. Currently, nothing is supposed to break - this issue is tracked in  issue 798705  (fix will land before M65)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2a6afcb26ba6cd2324ddaa366b11968237e304a3

commit 2a6afcb26ba6cd2324ddaa366b11968237e304a3
Author: Jochen Eisinger <jochen@chromium.org>
Date: Mon Jan 15 08:58:06 2018

Ignore download attribute for cross origin downloads

We still end up downloading the resource, if the server responds with a
content-disposition header, or the content type can't be handled by
chrome.

BUG= 714373 
R=dtrainor@chromium.org

Change-Id: I0927d83d77292cac820047e5ab99f204ccd3630b
Reviewed-on: https://chromium-review.googlesource.com/847594
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529231}
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/content/browser/download/download_stats.h
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/content/browser/loader/mime_sniffing_resource_handler.cc
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/content/browser/loader/navigation_url_loader_network_service.cc
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/tools/metrics/histograms/enums.xml

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3179df153a9913dc20e569f005640334c22690d5

commit 3179df153a9913dc20e569f005640334c22690d5
Author: Jochen Eisinger <jochen@chromium.org>
Date: Tue Jan 23 12:58:29 2018

Move suggested_filename from begin to common nav params

R=mkwst@chromium.org,clamy@chromium.org

Bug:  714373 
Change-Id: Ib0b8fd1ee8fc2118e6d4e0b11ae5e19dd99b8066
Reviewed-on: https://chromium-review.googlesource.com/880721
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531217}
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/browser_side_navigation_browsertest.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/frame_host/navigation_entry_impl.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/frame_host/navigation_request.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/navigation_url_loader_network_service.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/navigation_url_loader_network_service_unittest.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/navigation_url_loader_unittest.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/resource_dispatcher_host_unittest.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/common/frame_messages.h
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/common/navigation_params.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/common/navigation_params.h
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/common/navigation_params.mojom
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/public/test/navigation_simulator.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/public/test/render_view_test.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/test/test_render_frame_host.cc

When using Chrome version 65 or 66 I cannot download a file using blob.  I get the error:
The webpage at blob:https://v360demo.xxxxxxxxxxxxxxxxxxxxx    might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE

This is an intermittent issue but fails most of the time.

Can you provide a repro url please?

Does this work in Firefox?

If the download is coming from the same domain and has an appropriate content-disposition, is using an anchor with the download attr still the best way initiate a download that doesn't take the user away from the page?  

In my app, the user may start to down load files while others are still processing so it is critical that the download doesn't trigger the beforeunload process.  I have been doing this up until now by doing something like this:

var element = document.createElement('a')
element.setAttribute('href', 'https://www.sameorigin.com/path/to/track.mp3')
element.setAttribute('target', '_blank')
element.setAttribute('download', 'track.mp3')
element.style.display = 'none'
document.body.appendChild(element)
element.click()
document.body.removeChild(element)

To generate an element like this:

<a href="https://www.sameorigin.com/path/to/track.mp3" target="_blank" download="track.mp3"></a>

the target _blank attr is to ensure that the triggered click doesn't disrupt the current pages execution.  I had noticed that it some cases it was triggering the beforeunload event without it.

This always felt pretty hacky and I'd love to have a better way to pass a download to the browsers download manger.

The only other option that I know of is do the download fully in js via xhr/fetch and buffer the entire file into ram before creating a blob for download.  This also requires similar hackery in order to initiate the download and is less fault tolerant than handing the download url to Chrome's download manager.

I appreciate any guidance.

if the server replies with a content-disposition, chrome will always download the file, yes.

The beforeunload event will not be fired.

I landed a fix so that download= overrides target=, however, that's not yet merged back to M65 (and I'm not sure whether the merge will be approved..) see  issue 823050 

Also filed issue 824060 to kick of a discussion about a better interface to the download manager, feel free to star that issue

Intent to deprecate thread: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Iw3_SUcagGg/NtFHvCClBwAJ

Being improved to be less breaking in  issue 828963 

In mac OS, cmd + click is still downloading a cross origin download link even when content-disposition is not set. Is that the expected behaviour?

yes, that's a different feature (i.e. the user explicitly saying download this vs the web site attempting to download something)

I’m curious: Has there been any consideration of cross-origin downloads when you control both origins? As a default behavior, I think this makes sense, but it may also be sensible to add a CSP instruction to allow downloads for specifically-identified domains.

Use case: Displaying a "download" link next to an image, but the image is hosted on your CDN.

if you want the image to download, and you control the CDN, reply with a content-disposition header.

In general, I'd recommend looking at the Background Fetch API (unfortunately, still under development) to build better download experiences

Thanks for that @jochen! Content-disposition could work for some scenarios, but I am thinking of an instance where you want to display the image *and* have an explicit download link. It seems like you would need to make content-disposition dynamic (perhaps based on a query string parameter) in order to have the CDN be able to serve the same resource in 2 ways. That may not always be possible. The download attribute seems like a much more declarative way to manage this as a front-end developer. And if the CDN is already CSP-approved, it seems pretty low-risk to implement.

unless the CDN opts in, there's no way for the browser to know that it agrees that this should be a download.