I want the anchor element’s download attribute to work for cross-origin links that opt in via CORS

The download attribute on <a> elements lets me tell the browser to download a linked resource rather than navigate to it, and to suggest a filename. Today, however, this only works for same-origin URLs — the attribute is silently ignored for cross-origin links, even when the remote server explicitly allows cross-origin access via CORS headers.

This limitation was introduced over a decade ago out of concern that users might be tricked into unknowingly downloading and re-uploading a cross-origin file. While I appreciate the original caution, the current restriction creates real problems without meaningfully improving security:

• Modern web apps commonly serve assets from CDNs or third-party storage (e.g., cdn.example.com). Today, those apps cannot offer a clean download link pointing directly at the CDN URL.
• The only workarounds are server-side proxies that set a Content-Disposition header, or fetching the resource as a Blob on the client. Proxy implementations are frequently insecure, and the Blob approach is slow and memory-intensive — completely impractical for large files.
• Many apps are deployed as static sites with no dynamic server infrastructure at all, leaving them with no viable path.

The fix should follow the existing CORS model: if a server includes the appropriate Access-Control-Allow-Origin header, it has already opted in to cross-origin access. Honouring the download attribute in that case adds no new attack surface and removes a significant practical obstacle for developers building with CDNs and serverless architectures.