Auto-download trigger
Check whether file downloads can start without an explicit user click via download attributes, Blob URLs, or data URLs.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | blocked |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/auto-download?lang=en" title="XSS Playground - Auto-download trigger" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- Modern browsers limit repeated downloads without a user gesture, but the first one usually passes. A surprise file dropping inside a trusted-looking page is enough to start a phishing flow.
- With
sandbox="allow-scripts", a.click() works buta.download-driven downloads tend to be blocked unlessallow-downloadsis also granted.