It's currently possible to force a download by serving a file with a "Content-Disposition: attachment; filename=..." header. Notably, this mechanism can be used to download a file with minimal user interaction by including the resource to be downloaded in an IFrame. This holds even for sandboxed IFrames, as demonstrated by http://lcamtuf.coredump.cx/sandboxed.html (clicking that link will download a file, fair warning).
It seems consistent with the general thought behind the `sandbox` attribute that it should control downloads as well as the bits it already locks down. I'd propose adjusting the spec to include a sandboxed downloads flag, which, when present, would block all downloads from inside the frame (or, perhaps only require user confirmation?). This restriction could be lifted via an 'allow-downloads' keyword, if present in the sandbox attribute's token list. WDYT? -- Mike West <mk...@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
