Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 5 users
Status: Assigned
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task

Blocked on:
issue 739672

Sign in to add a comment
Ignore <a download> for cross origin URLs
Project Member Reported by, Apr 22 Back to list
Change description:
To avoid what is essentially  user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.

Changes to API surface:
* HTMLAnchorElement


Support in other browsers:
Internet Explorer: different mitigation
Firefox: shipped
Safari: shipped

Project Member Comment 2 by, May 26
The following revision refers to this bug:

commit 99a1d0db25c2b77ad42d216b2289e0bf67c69540
Author: Jochen Eisinger <>
Date: Fri May 26 14:16:45 2017

cross origin downloads w/o content disposition are dangerous


Change-Id: I170ad3a3bec4afe64897a16c98c25e8a152c15ed
Commit-Queue: Jochen Eisinger <>
Reviewed-by: David Trainor <>
Cr-Commit-Position: refs/heads/master@{#475000}

Labels: -M-60 M-61
It's M61 at this point
Status: Fixed
Status: Assigned
#1 - this might have caused  issue 730050  (downloaded data URLs do not get their file name from the download attribute).
Blockedon: 739672
Labels: -M-61 -Launch-M-Target-60-Stable M-62
Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here:

For any questions, please contact owencm, sshruthi, larforge
Sign in to add a comment