HTML5 download attribute not working cross-domain? Can it be made to work?

Question

Consider the following page:

Why does the first link work, but the second link doesn't? Do I need to send a certain header, or is it impossible to use the download attribute on a subdomain?

score 3 · Answer 1 · edited May 23 '17 at 12:16

3

Chrome actually does allow the download attribute on cross-origin files, without CORS headers, but Firefox chose not to, citing potential social-engineering attacks.

Check this link... HTML5 download attribute not working when downloading from another server, even when Access-Control-Allow-Origin is set to all (*)

You could fix it with php proxy file something like:

<?php
$url = $_GET['file'];
$name = $_GET['name'];
header("Content-type: application/$ext");
header("Content-Disposition: attachment; filename=".$name);
echo readfile($url);
?>

edited May 23 '17 at 12:16

Community

1
1

answered Apr 21 '15 at 13:27

SergioZgz

148
5

I know this was posted a while ago, but the mp4 file is corrupt when I use the above code...? – FluxCoder Sep 25 '16 at 17:45
better not add trailing `?>` as it may corrupt the output – thybzi Oct 10 '16 at 11:51
and what is `$ext`? that should be for file extension, but the variable isn't defined – thybzi Oct 10 '16 at 11:54
"Chrome actually does allow the download attribute on cross-origin files" — I suppose at the moment Chrome also disables cross-origin download attr – thybzi Oct 10 '16 at 11:56
1

This code allows header injection and serves a proxy for any file on the internet. **That should be considered unsafe.** Don't build something like this without a whitelist! – Franz May 06 '19 at 11:34

HTML5 download attribute not working cross-domain? Can it be made to work?

1 Answers1

Linked