Closed Bug 874009 Opened 11 years ago Closed 11 years ago

HTML5 Download Attribute doesn't work for cross origin sites

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
21 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: marius.gebhardt, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22

Steps to reproduce:

<a href="http://upload.wikimedia.org/wikipedia/commons/8/87/Google_Chrome_icon_%282011%29.png" download="filename.png">Click me!</a>

http://jsbin.com/akawuq/2


Actual results:

The image was opened regulary


Expected results:

It should have being downloaded like in Google Chrome
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
This is a necessary security measure.  See the discussion in bug 676619.

Note that the behavior is just fine per spec, for what that's worth....
Blocks: 676619
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
In my opinion it doesn't make any sense to link it with the CORS Policy, because I don't see which security flaws the hackers could exploit with the HTML5 download attribute. Also, cross origin downloads are working perfectly in Google Chrome.
> because I don't see which security flaws the hackers could exploit with the HTML5
> download attribute. 

Please do read the discussion in bug 676619.

> Also, cross origin downloads are working perfectly in Google Chrome.

Yes, and we think they're adding security bugs by doing that.
I know this bug is labeled invalid and I know the devs don't want to address the issue further...but if anyone reads this I'd really like to know if there is some way *advanced* FF users can enable cross-origin downloads.

I mean, c'mon, the case against allowing cross-origin downloads is built on the premise that users could unknowingly download a file from a site containing their own personal information (e.g., gmail.com) and save it using a misleading name (e.g. "30off.coupon.txt") AND THEN proceed to another malicious page where they directly go and upload that same file they just downloaded. I mean c'mon. Seriously?? Anyone who's gonna fall for that deserves to lose their personal information.

I'm all for browser security, but I think a simple preference in about:config to enable cross-origin a@download is in order. Please consider. Thank you.
Solution make a ajax call, create a blob, objectURL and set that as download attribute - all set

How is this any different?
The difference is the ajax call enforces same-origin or CORS opt-in.  I suppose we could do something where @download is considered for cross-origin but CORS is then enforced...
You need to log in before you can comment on or make changes to this bug.