The initial <a download> implementation does not restrict downloads to the same origin as the page holding the link. Tested by: http/tests/security/anchor-download-block-crossorigin
*** Bug 162631 has been marked as a duplicate of this bug. ***
Test case: - http://jsfiddle.net/cW7W5/1589/ It seems that: - Firefox ignores the Download attribute entirely - Chrome only ignores the download attribute value (i.e. the suggested file name) Let's go with the stricter (Firefox) behavior for now.
Created attachment 290009 [details] Patch
Created attachment 290013 [details] Patch
Comment on attachment 290013 [details] Patch Clearing flags on attachment: 290013 Committed r206478: <http://trac.webkit.org/changeset/206478>
All reviewed patches have been landed. Closing bug.