Prevent downloads in <iframe sandbox> by default

This adds a restriction to <iframe sandbox> that downloads are not
allowed by default from the iframe. This restriction can be lifted with
the new sandbox token "allow-downloads".

Closes #3236.

source

@@ -23736,13 +23736,36 @@ document.body.appendChild(wbr);</code></pre>
 
  <hr>
 
+ <p>The following <dfn>allowed to download</dfn> algorithm takes an <var>initiator browsing
+ context</var> and an <var>instantiator browsing context</var>, and returns a boolean indicating
+ whether or not downloading is allowed:</p>
+
+ <ol>
+ <li><p>If the <var>initiator browsing context</var>'s <span data-x="determining sandboxing
+ flags">sandboxing flags</span> has the <span>sandboxed downloads browsing context
+ flag</span> set, then return false.</p></li>
+
+ <li><p>If the <var>instantiator browsing context</var> is non-null, and its <span
+ data-x="determining sandboxing flags">sandboxing flags</span> has the <span>sandboxed downloads
+ browsing context flag</span> set, then return false.</p></li>
+
+ <li><p>Optionally, the user agent may return false, if it believes doing so would safeguard the
+ user from a potentially hostile download.</p></li>
+
+ <li><p>Return true.</p></li>
+ </ol>
+
  <p>When a user <dfn data-x="downloading hyperlinks" data-export="">downloads a hyperlink</dfn>
  created by an element <var>subject</var>, optionally with a <var>hyperlink suffix</var>, the user
  agent must run the following steps:</p>
 
  <ol>
  <li><p>If <var>subject</var> <span>cannot navigate</span>, then return.</p></li>
 
+ <li><p>Run the <span>allowed to download</span> algorithm with the <var>subject</var>'s <span>node
+ document</span>'s <span data-x="concept-document-bc">browsing context</span> and null. If the
+ algorithm returns false, then return.</p></li>
+
  <li><p><span data-x="parse a url">Parse</span> the <span>URL</span> given by
  <var>subject</var>'s <code data-x="attr-hyperlink-href">href</code> attribute, relative to
  <var>subject</var>'s <span>node document</span>.</p></li>
@@ -23773,11 +23796,10 @@ document.body.appendChild(wbr);</code></pre>
  </li>
  </ol>
 
- <p>When a user agent is to handle a resource obtained from a fetch <dfn>as a download</dfn>, act
- in a user-agent-defined manner to safeguard the user from a potentially hostile download. If the
- download is not to be aborted, it should provide the user with a way to save the resource for
- later use, if a resource is successfully obtained; or otherwise should report any problems
- downloading the file to the user.</p>
+ <p>When a user agent is to handle a resource obtained from a fetch <dfn>as a download</dfn>, it
+ should provide the user with a way to save the resource for later use, if a resource is
+ successfully obtained. Otherwise, it should report any problems downloading the file to the
+ user.</p>
 
  <p>If the user agent needs a file name for a resource being handled <span>as a download</span>, it
  should select one using the following algorithm.</p>
@@ -30632,8 +30654,9 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
  <code data-x="attr-iframe-sandbox-allow-presentation">allow-presentation</code>, <code
  data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>, <code
  data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code>, <code
- data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>, and <code
- data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>.</p>
+ data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code>, <code
+ data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>,
+ and <code data-x="attr-iframe-sandbox-allow-downloads">allow-downloads</code>.</p>
 
  <p>When the attribute is set, the content is treated as being from a unique <span>origin</span>,
  forms, scripts, and various potentially annoying APIs are disabled, links are prevented from
@@ -82492,6 +82515,17 @@ interface <dfn>BarProp</dfn> {
 
  </dd>
 
+ <dt>The <dfn data-export="">sandboxed downloads browsing context flag</dfn></dt>
+
+ <dd>
+
+ <p>This flag prevents content from initiating or instantiating downloads, whether through <span
+ data-x="downloading hyperlinks">downloading hyperlinks</span> or through <span
+ data-x="process a navigate response">navigation</span> that gets handled <span>as a
+ download</span>.</p>
+
+ </dd>
+
  </dl>
 
  <p>When the user agent is to <dfn data-export="">parse a sandboxing directive</dfn>, given a
@@ -82593,6 +82627,10 @@ interface <dfn>BarProp</dfn> {
  data-x="attr-iframe-sandbox-allow-presentation">allow-presentation</code></dfn>
  keyword.</p></li>
 
+ <li><p>The <span>sandboxed downloads browsing context flag</span>, unless <var>
+ tokens</var> contains the <dfn><code
+ data-x="attr-iframe-sandbox-allow-downloads">allow-downloads</code></dfn> keyword.</p></li>
+
  </ul>
 
  </li>
@@ -84781,8 +84819,10 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
  <li><p>If <var>response</var> has an `<code
  data-x="http-content-disposition">Content-Disposition</code>` header specifying the <code
- data-x="">attachment</code> disposition type, then handle it <span>as a download</span> and
- return.</p></li>
+ data-x="">attachment</code> disposition type, then run the <span>allowed to
+ download</span> algorithm with the <span>source browsing context</span> of the navigation and the
+ browsing context being <span data-x="navigate">navigated</span>. If the algorithm returns false,
+ return; otherwise, handle <var>response</var> <span>as a download</span> and return.</p></li>
 
  <li><p>Let <var>type</var> be the <span data-x="Content-Type sniffing">computed type of
  <var>response</var></span>.</p></li>