Downloads in sandboxed <iframe> will be blocked by default


Categories: DOM, HTML, Privacy & Security

Releases: Firefox 82


For enhanced security, starting with Firefox 82, downloads initiated in an <iframe> with the sandbox attribute will be blocked by default. In order to allow such downloads, the embedder has to opt in by explicitly adding the allow-downloads token to the HTML attribute or CSP sandbox directive.

Google has already made the same change in Chrome 83 shipped in May 2020.