← Back to release summary

Download in Sandboxed Iframes

Category

Security

Type

New or changed feature

Status

Removed (Chrome 83)

Intent stage

None

Summary

Sandboxed iframe can initiate or instantiate downloads. Chrome is planning on removing this capability - i.e. Chrome is going to block all downloads initiated from or instantiated in a sandboxed iframe by default. The embedder may add "allow-downloads" to the sandbox attributes list to opt in. This allows content providers to restrict malicious or abusive downloads.

Motivation

This allows content providers to restrict malicious or abusive downloads.

Standards & signals

• Specification: https://github.com/whatwg/html/pull/4293
• Firefox: No signal — They may want to push for removing the 'allow-downloads' flag later (in favor of just always blocking downloads).
• Safari: No signal
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=539938

Docs: Spec: https://github.com/whatwg/html/pull/4293 Spec discussions: https://github.com/whatwg/html/issues/3236 Design Doc: https://docs.google.com/document/d/1XfLQd9IbJBPAE4IAOvu4EubUaLuICJrDlrmz0Ya_mqQ

View on chromestatus.com