Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revisit anchor element download attribute for cross-origin links #628

Open
WebWeWantBot opened this issue Jun 22, 2023 · 0 comments
Open

Revisit anchor element download attribute for cross-origin links #628

WebWeWantBot opened this issue Jun 22, 2023 · 0 comments

Comments

@WebWeWantBot
Copy link

title: Revisit anchor element download attribute for cross-origin links
date: 2023-06-22T22:19:19.331Z
submitter: Brad Isbell
number: 6494c8e7b2763a007a11a7f3
tags: [ ]
discussion: https://github.com/WebWeWant/webwewant.fyi/discussions/
status: [ discussing || in-progress || complete ]
related:

  • title:
    url:
    type: [ article || explainer || draft || spec || note || discussion ]

Today, the download attribute for anchor elements can be used to specify that the linked resource should be downloaded (rather than opened in a browser view), and can also specify a filename. For example, suppose my website at https://puppy-vlog.example.com/ wants to provide a download link for the latest episode.

<a href="puppy.webm" download="My Puppy.webm">
  Download my puppy's latest vlog!
</a>

Now, suppose my site becomes popular and I want to use common CDNs to serve my downloads:

<a href="https://cdn.example.com/puppy-vlog/assets/2acaf36f-b8b6-4222-bc7a-7c4e4052f881" download="My Puppy.webm">
  Download my puppy's latest vlog!
</a>

This doesn't work.

The reason is that over a decade ago, it was decided this was a potential security risk. The argument, as I understand it, is that we did not want users making a cross-origin download while not realizing they were doing that. We did not want them to be tricked into then re-uploading that file to the place they downloaded it from. You can read some of this discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=676619

While I appreciate the concern for the security of this edge case, I think in practice we have more security issues, as well as wasted resources. With no way for the client to specify a download, the server must do it by way of Content-Disposition header. This has lead to many insecure implementations of proxying resources. (A common example can be seen on Stack Overflow: https://stackoverflow.com/a/29773570/362536)

Furthermore, we are now in a time where many web applications are simple static websites without any dynamic server infrastructure. Without a server to proxy and add the header, these applications can't do much about their situation. At best they can fetch the resource as a Blob, but this is slow, memory intensive, and inappropriate for files of any significant size.

A solution...

Let's follow existing CORS restrictions. Certainly if an origin is willing to opt-in to allow another origin to fetch its resources directly, there cannot be any additional risk from allowing users to download cross-origin.

If posted, this will appear at https://webwewant.fyi/wants/6494c8e7b2763a007a11a7f3/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@WebWeWantBot