Note: There are a few cases of duplicates in user autocompletion which are being worked on.

HTML5 Download Attribute doesn't work for cross origin sites

RESOLVED INVALID

Status

()

Core
DOM: Core & HTML
RESOLVED INVALID
4 years ago
9 months ago

People

(Reporter: Maino, Unassigned)

Tracking

21 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22

Steps to reproduce:

<a href="http://upload.wikimedia.org/wikipedia/commons/8/87/Google_Chrome_icon_%282011%29.png" download="filename.png">Click me!</a>

http://jsbin.com/akawuq/2


Actual results:

The image was opened regulary


Expected results:

It should have being downloaded like in Google Chrome

Updated

4 years ago
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core

Comment 1

4 years ago
This is a necessary security measure.  See the discussion in bug 676619.

Note that the behavior is just fine per spec, for what that's worth....
Blocks: 676619
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

4 years ago
In my opinion it doesn't make any sense to link it with the CORS Policy, because I don't see which security flaws the hackers could exploit with the HTML5 download attribute. Also, cross origin downloads are working perfectly in Google Chrome.

Comment 3

4 years ago
> because I don't see which security flaws the hackers could exploit with the HTML5
> download attribute. 

Please do read the discussion in bug 676619.

> Also, cross origin downloads are working perfectly in Google Chrome.

Yes, and we think they're adding security bugs by doing that.

Comment 4

4 years ago
I know this bug is labeled invalid and I know the devs don't want to address the issue further...but if anyone reads this I'd really like to know if there is some way *advanced* FF users can enable cross-origin downloads.

I mean, c'mon, the case against allowing cross-origin downloads is built on the premise that users could unknowingly download a file from a site containing their own personal information (e.g., gmail.com) and save it using a misleading name (e.g. "30off.coupon.txt") AND THEN proceed to another malicious page where they directly go and upload that same file they just downloaded. I mean c'mon. Seriously?? Anyone who's gonna fall for that deserves to lose their personal information.

I'm all for browser security, but I think a simple preference in about:config to enable cross-origin a@download is in order. Please consider. Thank you.

Comment 5

a year ago
Solution make a ajax call, create a blob, objectURL and set that as download attribute - all set

How is this any different?
The difference is the ajax call enforces same-origin or CORS opt-in.  I suppose we could do something where @download is considered for cross-origin but CORS is then enforced...
You need to log in before you can comment on or make changes to this bug.