Bug 156100 - <a download> does not honor the same-origin requirement
Summary: <a download> does not honor the same-origin requirement
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL: http://jsfiddle.net/cW7W5/1589/
: 162631 (view as bug list)
Depends on: 156057
Blocks: 156056
  Show dependency treegraph
Reported: 2016-03-31 23:58 PDT by Brent Fulgham
Modified: 2016-09-27 17:39 PDT (History)
9 users (show)

See Also:

Patch (6.52 KB, patch)
2016-09-27 14:53 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff
Patch (7.51 KB, patch)
2016-09-27 15:14 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2016-03-31 23:58:29 PDT
The initial <a download> implementation does not restrict downloads to the same origin as the page holding the link.

Tested by: http/tests/security/anchor-download-block-crossorigin
Comment 1 Chris Dumez 2016-09-27 14:05:01 PDT
*** Bug 162631 has been marked as a duplicate of this bug. ***
Comment 2 Chris Dumez 2016-09-27 14:08:31 PDT
Test case:
- http://jsfiddle.net/cW7W5/1589/

It seems that:
- Firefox ignores the Download attribute entirely
- Chrome only ignores the download attribute value (i.e. the suggested file name)

Let's go with the stricter (Firefox) behavior for now.
Comment 3 Chris Dumez 2016-09-27 14:53:15 PDT
Created attachment 290009 [details]
Comment 4 Chris Dumez 2016-09-27 15:14:48 PDT
Created attachment 290013 [details]
Comment 5 WebKit Commit Bot 2016-09-27 17:39:22 PDT
Comment on attachment 290013 [details]

Clearing flags on attachment: 290013

Committed r206478: <http://trac.webkit.org/changeset/206478>
Comment 6 WebKit Commit Bot 2016-09-27 17:39:28 PDT
All reviewed patches have been landed.  Closing bug.