Block cross-origin <a download>

Category: Security
Type: New or changed feature
Status: Enabled by default (Chrome 65)
Intent stage: None

Summary

To avoid what is essentially user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.

Standards & signals

Specification: https://html.spec.whatwg.org/multipage/semantics.html#the-a-element
Firefox: Shipped/Shipping
Safari: Shipped/Shipping
Web developers: No signals
Tracking bug: https://crbug.com/714373

Docs: https://developer.mozilla.org/en/docs/Web/HTML/Element/a

View on chromestatus.com