RESOLVED FIXED 156100
<a download> does not honor the same-origin requirement 
https://bugs.webkit.org/show_bug.cgi?id=156100
Summary <a download> does not honor the same-origin requirement
Brent Fulgham
Reported 2016-03-31 23:58:29 PDT
The initial <a download> implementation does not restrict downloads to the same origin as the page holding the link. Tested by: http/tests/security/anchor-download-block-crossorigin
Attachments
Patch (6.52 KB, patch)
2016-09-27 14:53 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (7.51 KB, patch)
2016-09-27 15:14 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2016-09-27 14:05:01 PDT
*** Bug 162631 has been marked as a duplicate of this bug. ***
Chris Dumez
Comment 2 2016-09-27 14:08:31 PDT
Test case: - http://jsfiddle.net/cW7W5/1589/ It seems that: - Firefox ignores the Download attribute entirely - Chrome only ignores the download attribute value (i.e. the suggested file name) Let's go with the stricter (Firefox) behavior for now.
Chris Dumez
Comment 3 2016-09-27 14:53:15 PDT
Created attachment 290009 [details] Patch
Chris Dumez
Comment 4 2016-09-27 15:14:48 PDT
Created attachment 290013 [details] Patch
WebKit Commit Bot
Comment 5 2016-09-27 17:39:22 PDT
Comment on attachment 290013 [details] Patch Clearing flags on attachment: 290013 Committed r206478: <http://trac.webkit.org/changeset/206478>
WebKit Commit Bot
Comment 6 2016-09-27 17:39:28 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.