(In reply to Anne (:annevk) from comment #6)
Tim, when you say that the agent cluster IDs are different between the page and the sandboxed iframe, what page do you mean? The page that embeds the iframe? But it's the iframe that is being navigated (resulting in a download), right?
Actually, I am not entirely sure if it is the page that embeds the iframe given that I am not familiar with how downloading works. And I've got your point that the download could happen in a new tab after clicking a blob URL in iframes. So, It could be the case that the agent cluster ID of the downloading tab is different from the page which embeds the sandboxed iframe.
I do think we might need wider lookup of blob URLs for the purposes of top-level navigation. E.g., if a document generates a blob URL and the user navigates to that in a new tab.
IIUC, The agent cluster should be the same if the newly opened tab has an opener relationship with the window that generates a blob URL. So, the blob URL should be able to be resolved in this case. But. It doesn't apply here for a downloading tab because it has a different agent cluster ID. So, Does it suppose to be a different agent cluster ID or not?