New issue
Advanced search Search tips
Starred by 7 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 15
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task

Blocked on:
issue 739672

Blocking:
issue 828963


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

Ignore <a download> for cross origin URLs

Project Member Reported by jochen@chromium.org, Apr 22 2017 Back to list

Issue description

Change description:
To avoid what is essentially  user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.

Changes to API surface:
* HTMLAnchorElement

Links:
https://developer.mozilla.org/en/docs/Web/HTML/Element/a

Support in other browsers:
Internet Explorer: different mitigation
Firefox: shipped
Safari: shipped

 
Project Member

Comment 2 by bugdroid1@chromium.org, May 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99a1d0db25c2b77ad42d216b2289e0bf67c69540

commit 99a1d0db25c2b77ad42d216b2289e0bf67c69540
Author: Jochen Eisinger <jochen@chromium.org>
Date: Fri May 26 14:16:45 2017

cross origin downloads w/o content disposition are dangerous

BUG= 714373 , 608669 
R=dtrainor@chromium.org

Change-Id: I170ad3a3bec4afe64897a16c98c25e8a152c15ed
Reviewed-on: https://chromium-review.googlesource.com/513923
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#475000}
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/download/download_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/download/download_browsertest.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/extensions/api/web_navigation/web_navigation_apitest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/chrome/browser/loader/chrome_resource_dispatcher_host_delegate_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_create_info.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_item_impl_unittest.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_request_core.cc
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/content/browser/download/download_stats.h
[modify] https://crrev.com/99a1d0db25c2b77ad42d216b2289e0bf67c69540/tools/metrics/histograms/enums.xml

Comment 3 by jochen@chromium.org, May 26 2017

Labels: -M-60 M-61
It's M61 at this point

Comment 4 by jochen@chromium.org, May 26 2017

Status: Fixed (was: Assigned)

Comment 5 by jochen@chromium.org, May 30 2017

Status: Assigned (was: Fixed)

Comment 6 by phistuck@gmail.com, Jun 6 2017

#1 - this might have caused  issue 730050  (downloaded data URLs do not get their file name from the download attribute).
Blockedon: 739672

Comment 8 by jochen@chromium.org, Jul 31 2017

Labels: -M-61 -Launch-M-Target-60-Stable M-62

Comment 9 by owe...@chromium.org, Sep 12 2017

Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge
Labels: -M-62
removing the target milestone for the time being
Project Member

Comment 11 by bugdroid1@chromium.org, Nov 11

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3deb65444b820ed0caf0f3c2c000e82c2ce8564d

commit 3deb65444b820ed0caf0f3c2c000e82c2ce8564d
Author: Jochen Eisinger <jochen@chromium.org>
Date: Sat Nov 11 15:48:15 2017

When cancelling parsing of a document, try to transition to completed

With browser side navigations, we might cancel parsing because a new
navigation started, which in turn might fail. In that case, the original
document should be in a defined state

BUG= 714373 
R=japhet@chromium.org

Change-Id: Idf09c46a2dde8ce1107d8c8d1d414e5fa06987da
Reviewed-on: https://chromium-review.googlesource.com/758998
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Nate Chapin <japhet@chromium.org>
Cr-Commit-Position: refs/heads/master@{#515842}
[modify] https://crrev.com/3deb65444b820ed0caf0f3c2c000e82c2ce8564d/third_party/WebKit/Source/core/loader/FrameLoader.cpp

Project Member

Comment 12 by bugdroid1@chromium.org, Jan 2

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b

commit f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b
Author: Jochen Eisinger <jochen@chromium.org>
Date: Tue Jan 02 14:30:18 2018

Use navigation for <a download>

We pass the suggested filename along with the request and use that
as a signal that the navigation should result in a download.

The next step will be to ignore this hint for cross origin downloads,
so that only files with a content-disposition will end up being
downloaded.

Bug:  714373 ,797292
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo;master.tryserver.chromium.linux:linux_site_isolation
Change-Id: I508d7abe1cba9b75d65132b0688984cdebfc6fd4
Reviewed-on: https://chromium-review.googlesource.com/758236
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Jialiu Lin <jialiul@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Min Qin(OOO 12/7-1/10) <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#526475}
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/browser/apps/guest_view/web_view_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/browser/download/download_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/browser/extensions/api/web_navigation/web_navigation_apitest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/browser/safe_browsing/safe_browsing_navigation_observer_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/test/data/extensions/api_test/webnavigation/download/test_download.js
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/test/data/extensions/platform_apps/web_view/download/expect-allow.zip
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/test/data/extensions/platform_apps/web_view/download/expect-deny.zip
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/chrome/test/data/extensions/platform_apps/web_view/download/expect-ignore.zip
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/browser_side_navigation_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/devtools/devtools_url_interceptor_request_job.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/download_manager_impl.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/download_manager_impl.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/download_request_core.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/resource_downloader.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/download/resource_downloader.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/frame_host/navigation_request.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/mime_sniffing_resource_handler.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/navigation_url_loader_network_service.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/navigation_url_loader_network_service.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/navigation_url_loader_network_service_unittest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/navigation_url_loader_unittest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/resource_dispatcher_host_unittest.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/resource_request_info_impl.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/browser/loader/resource_request_info_impl.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/common/navigation_params.mojom
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/public/test/navigation_simulator.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/shell/test_runner/test_runner.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/shell/test_runner/web_frame_test_client.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/test/data/download/download-attribute-blob.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/content/test/test_render_frame_host.cc
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/editing/pasteboard/drag-files-to-editable-element-expected.txt
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/editing/pasteboard/drag-files-to-editable-element.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-area-element/area-download-click-expected.txt
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-area-element/area-download-click.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-area-element/resources/area-download-click.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/a-download-click-404-expected.txt
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/a-download-click-404.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/a-download-click-expected.txt
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/a-download-click.html
[add] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/external/wpt/html/semantics/text-level-semantics/the-a-element/resources/a-download-click.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/fast/events/drag-file-crash.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/fast/events/resources/drag-file-crash-pass.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/LayoutTests/http/tests/security/upgrade-insecure-requests/https-header-top-level.html
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/core/html/HTMLAnchorElement.cpp
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/platform/exported/WebURLRequest.cpp
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/platform/loader/fetch/ResourceRequest.cpp
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/Source/platform/loader/fetch/ResourceRequest.h
[modify] https://crrev.com/f2d2fe87028de36a489f7db3f5fb28da2e9d9b2b/third_party/WebKit/public/platform/WebURLRequest.h

jochen@, r526475 breaks a lot of extensions/sites that offer to export their data via blob object URLs assigned to an anchor element's href, see the attached test.html and test2.html
test.html
253 bytes View Download
test2.html
307 bytes View Download
r526475 also breaks FileSystem URLs obtained via window.webkitRequestFileSystem and its FileEntry#toURL which look like filesystem:chrome-extension://lfnlmiimoamfidmfgcfeenahdaoaehkc/temporary/foo.json
Firefox 52, 57, 59 handles test.html and test2.html correctly.
Just like Chrome before r526475, of course.
Currently I'm using a workaround when chrome version branch is greater than 3310:
it's possible to download data via object URLs for blobs inside a temporary iframe.
sorry about that. Currently, nothing is supposed to break - this issue is tracked in  issue 798705  (fix will land before M65)
Project Member

Comment 18 by bugdroid1@chromium.org, Jan 15

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2a6afcb26ba6cd2324ddaa366b11968237e304a3

commit 2a6afcb26ba6cd2324ddaa366b11968237e304a3
Author: Jochen Eisinger <jochen@chromium.org>
Date: Mon Jan 15 08:58:06 2018

Ignore download attribute for cross origin downloads

We still end up downloading the resource, if the server responds with a
content-disposition header, or the content type can't be handled by
chrome.

BUG= 714373 
R=dtrainor@chromium.org

Change-Id: I0927d83d77292cac820047e5ab99f204ccd3630b
Reviewed-on: https://chromium-review.googlesource.com/847594
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529231}
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/content/browser/download/download_stats.h
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/content/browser/loader/mime_sniffing_resource_handler.cc
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/content/browser/loader/navigation_url_loader_network_service.cc
[modify] https://crrev.com/2a6afcb26ba6cd2324ddaa366b11968237e304a3/tools/metrics/histograms/enums.xml

Status: Fixed (was: Assigned)
Project Member

Comment 20 by bugdroid1@chromium.org, Jan 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3179df153a9913dc20e569f005640334c22690d5

commit 3179df153a9913dc20e569f005640334c22690d5
Author: Jochen Eisinger <jochen@chromium.org>
Date: Tue Jan 23 12:58:29 2018

Move suggested_filename from begin to common nav params

R=mkwst@chromium.org,clamy@chromium.org

Bug:  714373 
Change-Id: Ib0b8fd1ee8fc2118e6d4e0b11ae5e19dd99b8066
Reviewed-on: https://chromium-review.googlesource.com/880721
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531217}
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/browser_side_navigation_browsertest.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/frame_host/navigation_entry_impl.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/frame_host/navigation_request.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/navigation_url_loader_network_service.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/navigation_url_loader_network_service_unittest.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/navigation_url_loader_unittest.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/browser/loader/resource_dispatcher_host_unittest.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/common/frame_messages.h
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/common/navigation_params.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/common/navigation_params.h
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/common/navigation_params.mojom
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/public/test/navigation_simulator.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/public/test/render_view_test.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/3179df153a9913dc20e569f005640334c22690d5/content/test/test_render_frame_host.cc

When using Chrome version 65 or 66 I cannot download a file using blob.  I get the error:
The webpage at blob:https://v360demo.xxxxxxxxxxxxxxxxxxxxx    might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE

This is an intermittent issue but fails most of the time.
Can you provide a repro url please?

Does this work in Firefox?
If the download is coming from the same domain and has an appropriate content-disposition, is using an anchor with the download attr still the best way initiate a download that doesn't take the user away from the page?  

In my app, the user may start to down load files while others are still processing so it is critical that the download doesn't trigger the beforeunload process.  I have been doing this up until now by doing something like this:

var element = document.createElement('a')
element.setAttribute('href', 'https://www.sameorigin.com/path/to/track.mp3')
element.setAttribute('target', '_blank')
element.setAttribute('download', 'track.mp3')
element.style.display = 'none'
document.body.appendChild(element)
element.click()
document.body.removeChild(element)

To generate an element like this:

<a href="https://www.sameorigin.com/path/to/track.mp3" target="_blank" download="track.mp3"></a>

the target _blank attr is to ensure that the triggered click doesn't disrupt the current pages execution.  I had noticed that it some cases it was triggering the beforeunload event without it.

This always felt pretty hacky and I'd love to have a better way to pass a download to the browsers download manger.

The only other option that I know of is do the download fully in js via xhr/fetch and buffer the entire file into ram before creating a blob for download.  This also requires similar hackery in order to initiate the download and is less fault tolerant than handing the download url to Chrome's download manager.

I appreciate any guidance.
if the server replies with a content-disposition, chrome will always download the file, yes.

The beforeunload event will not be fired.

I landed a fix so that download= overrides target=, however, that's not yet merged back to M65 (and I'm not sure whether the merge will be approved..) see  issue 823050 
Also filed issue 824060 to kick of a discussion about a better interface to the download manager, feel free to star that issue
Blocking: 828963
Intent to deprecate thread: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Iw3_SUcagGg/NtFHvCClBwAJ

Being improved to be less breaking in  issue 828963 
In mac OS, cmd + click is still downloading a cross origin download link even when content-disposition is not set. Is that the expected behaviour?
yes, that's a different feature (i.e. the user explicitly saying download this vs the web site attempting to download something)

Sign in to add a comment