Ignore suggested download filename for cross origin links.

Source/core/html/HTMLAnchorElement.cpp

Index: Source/core/html/HTMLAnchorElement.cpp
diff --git a/Source/core/html/HTMLAnchorElement.cpp b/Source/core/html/HTMLAnchorElement.cpp
index 33e6a318c7b93d13044a36ad4a3bce30857debed..7eddda5eee27d20ab6a1cc2b53a12bc9e8b659b1 100644
--- a/Source/core/html/HTMLAnchorElement.cpp
+++ b/Source/core/html/HTMLAnchorElement.cpp
@@ -431,7 +431,10 @@ void HTMLAnchorElement::handleClick(Event* event)
                 request.setHTTPReferrer(Referrer(referrer, document().referrerPolicy()));
         }
 
-        frame->loader().client()->loadURLExternally(request, NavigationPolicyDownload, fastGetAttribute(downloadAttr));
+        bool isSameOrigin = document().securityOrigin()->canRequest(completedURL);
+        const AtomicString& suggestedName = (isSameOrigin ? fastGetAttribute(downloadAttr) : nullAtom);
+
+        frame->loader().client()->loadURLExternally(request, NavigationPolicyDownload, suggestedName);

[abarth-chromium, 2014/03/17 18:17:48]

This check doesn't work.  The attacker can use an HTTP redirect to make the
initial URL looks same-origin but have the actual content come from an arbitrary
URL.

You probably need to do this check in the download system after you've followed
the whole redirect chain.

[asanka, 2014/03/17 18:50:24]

Good point! Thanks.

     } else {
         FrameLoadRequest frameRequest(&document(), request, target());
         frameRequest.setTriggeringEvent(event);