HTML5 download attribute not working when downloading from another server, even when Access-Control-Allow-Origin is set to all (*)
Yes, it is by design that the CORS headers have no affect on the download
attribute. There are only two browsers that support the download
attribute, Firefox and Chrome, and both browsers have a different policy on cross-origin files.
Chrome versions prior to 65 actually did allow the download
attribute on cross-origin files, without CORS headers, but Firefox chose not to, citing potential social-engineering attacks.
MDN documents this behavior for Firefox 20 under the download
attribute section for the a
tag, behavior that has not changed since.
In Firefox 20 this attribute is only honored for links to resources with the same-origin.
This Bugzilla report discussed the security concerns and the possibility of using CORS.
When the user clicks such a link, the user will be prompted if they
want to download. It seems very easy for the user to make the mistake
of thinking that something on the original website is being
downloaded, and not something from bank.com.
Would it be possible to implement it with same-origin and CORS
(Access-Control-Allow-Origin) in mind if you are questioning cross origin
security? This is very useful feature for web applications (create Blob
using JS and let user download it with some meaningful name)
Google was opposed to using CORS for this.
There's also this Bugzilla report, which summarizes their decision from the other bug report.
Also, cross origin downloads are working perfectly in Google Chrome.
Yes, and we think they're adding security bugs by doing that.
The Bugzilla issues don't seem to rule-out the possibility of using CORS for cross-origin download
attribute support in the future, but right now using CORS headers does not do anything for the download
attribute. It's possible that if other browsers start supporting the attribute, a consensus may yet be reached.
For sake of completeness, there is of course the Content-Disposition
header which you can use to force a download from the other domain, but this does not provide the same functionality as the download
attribute. It does have better browser support though.
Chrome Download Attribute not working
After some research I have finally found your problem.
<a> download attribute:
If the HTTP header Content-Disposition: is present and gives a different filename than this attribute, the HTTP header has priority over this attribute.
If this attribute is present and Content-Disposition: is set to inline, Firefox gives priority to Content-Disposition, like for the filename case, while Chrome gives priority to the download attribute.
Source
HTTP-Header Content-Disposition
Related Topics
Wcf Service to Accept a Post Encoded Multipart/Form-Data
Two Inline-Block, Width 50% Elements Wrap to Second Line
Multiple ≪Html≫≪Body≫ ≪/Html≫≪/Body≫ in Same File
Using :Before and :After CSS Selector to Insert HTML
How to Force a Page Break in HTML Printing
Floating an Image to the Bottom Right with Text Wrapping Around
How to Allow <Input Type="File"> to Accept Only Image Files
Jquery: 'Uncaught Typeerror: Illegal Invocation' at Ajax Request - Several Elements
Text Not Centered with Justify-Content: Center
Unwanted Margin in Inline-Block List Items
What Is the HTML Tabindex Attribute
How to Prevent Input Type="Number" Getting Negative Values
How to Use Xpath Contains() For Specific Text
Center Aligning a Fixed Position Div
What Is the Meaning of ? (Question Mark) in a Url String
How to Fill a Div with an Image While Keeping It Proportional