Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users
Status: Assigned
OOO until Aug 21
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Status: ----
Launch-Test: ----
Launch-UI: ----

Blocked on:
issue 739672

Sign in to add a comment
Ignore <a download> for cross origin URLs
Project Member Reported by, Apr 22 Back to list
Change description:
To avoid what is essentially  user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.

Changes to API surface:
* HTMLAnchorElement


Support in other browsers:
Internet Explorer: different mitigation
Firefox: shipped
Safari: shipped

Project Member Comment 2 by, May 26
The following revision refers to this bug:

commit 99a1d0db25c2b77ad42d216b2289e0bf67c69540
Author: Jochen Eisinger <>
Date: Fri May 26 14:16:45 2017

cross origin downloads w/o content disposition are dangerous


Change-Id: I170ad3a3bec4afe64897a16c98c25e8a152c15ed
Commit-Queue: Jochen Eisinger <>
Reviewed-by: David Trainor <>
Cr-Commit-Position: refs/heads/master@{#475000}

Labels: -M-60 M-61
It's M61 at this point
Status: Fixed
Status: Assigned
#1 - this might have caused  issue 730050  (downloaded data URLs do not get their file name from the download attribute).
Blockedon: 739672
Labels: -M-61 -Launch-M-Target-60-Stable M-62
Sign in to add a comment