Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users
Status: Assigned
Owner:
OOO until Aug 21
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Status: ----
Launch-Test: ----
Launch-UI: ----

Blocked on:
issue 739672



Sign in to add a comment
Ignore <a download> for cross origin URLs
Project Member Reported by jochen@chromium.org, Apr 22 Back to list
Change description:
To avoid what is essentially  user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.

Changes to API surface:
* HTMLAnchorElement

Links:
https://developer.mozilla.org/en/docs/Web/HTML/Element/a

Support in other browsers:
Internet Explorer: different mitigation
Firefox: shipped
Safari: shipped

 
Project Member Comment 2 by bugdroid1@chromium.org, May 26
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99a1d0db25c2b77ad42d216b2289e0bf67c69540

commit 99a1d0db25c2b77ad42d216b2289e0bf67c69540
Author: Jochen Eisinger <jochen@chromium.org>
Date: Fri May 26 14:16:45 2017

cross origin downloads w/o content disposition are dangerous

BUG=714373,608669
R=dtrainor@chromium.org

Change-Id: I170ad3a3bec4afe64897a16c98c25e8a152c15ed
Reviewed-on: https://chromium-review.googlesource.com/513923
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#475000}
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/download/download_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/download/download_browsertest.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/extensions/api/web_navigation/web_navigation_apitest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/loader/chrome_resource_dispatcher_host_delegate_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_create_info.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl_unittest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_request_core.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_stats.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/tools/metrics/histograms/enums.xml

Labels: -M-60 M-61
It's M61 at this point
Status: Fixed
Status: Assigned
#1 - this might have caused  issue 730050  (downloaded data URLs do not get their file name from the download attribute).
Blockedon: 739672
Labels: -M-61 -Launch-M-Target-60-Stable M-62
Sign in to add a comment