Html: Consider allowing downloads by user interaction within a sandboxed iframe
Previously: https://github.com/whatwg/html/issues/3236
As of early March, the HTML Standard has been updated to disallow browser downloads within sandboxed iframes by default, but with the ability to re-enable full iframe download capability, with no restrictions, by setting the allow-downloads flag on the sandbox attribute.
This puts us (Observable) — and other websites that allow users to write JavaScript within sandboxed iframes — in a bit of a pickle, because we would like to allow our authors to craft dynamic, JavaScript-driven downloads, but we don’t want to make it possible for them to write drive-by downloads that trigger merely by virtue of a visitor loading the webpage. Without a safe way to allow sandboxed iframes to offer downloads, we’ll have to resort to limiting workarounds, like postMessage()-ing a Blob up to the parent frame for download from there.
In other words, we would like to allow downloads only by user interaction, using the same mechanism in place to guard access to potentially abusable web APIs. User interaction is already used to restrict a sandbox directive with allow-top-navigation-by-user-activation. My hope is that allow-downloads-by-user-activation might be considered as well. It seems like was the original plan for #3236, until October.
Here are some use cases to motivate the feature:
A coronavirus tracking graphic that allows readers to download the source data that backs it as a TSV formatted text file: https://observablehq.com/@elaval/coronavirus-worldwide-evolution
An npm package dependency visualizer notebook that allows you to download the resulting graphviz image as either an SVG or PNG file: https://observablehq.com/@mbostock/package-dependencies
A fancy exploration of building buckyball models out of toilet paper tube strips, which includes an interactive simulation, which you can manipulate and then download the currently configured graph as a JSON file: https://observablehq.com/@rreusser/toiletpaperfullerenes-and-charmin-nanotubes
A "chart-o-matic", where you can edit the textarea to generate a different bubble map, and then download the resulting image as a PNG or SVG: https://observablehq.com/@mbostock/bubble-o-matic
Finally, here’s an example of the type of drive-by download we’d like to prevent with allow-downloads-by-user-activation. The author uses a simulated .click() on a link to force the download of a small SVG file: https://observablehq.com/@msurguy/untitled/3
Thanks in advance for (re)considering!
jashkenas
All 4 comments
I'll add another use case: We have a free application we'll give you in return for getting your email. Unabashed lead generation, yes, but it gives you something of value in return for your info, and does nothing unless you click.
True it's not vital to this use case. But in these days of third party javascript libraries, I'd far prefer it allow only the download you click on. That will build an extra firewall as one more hurdle for malice to clear if one of the third-party library providers has, um, an accident. I'm after anything I can do to stop someone stuffing something into potential customers systems.
Paladin
on 17 Jun 2020
I'll add another use case too.
Each custom visual made in Power BI is included in an iframe with a allow-scripts flag. Before the update, you could make a fancy interface of whatever you like and place a download button which worked well for loading images, documents and data in different formats. I have several custom visuals where this feature of downloading is really crucial in the company I work.
Now it is impossible because MS Team refused to include a allow-downloads flag. So all these custom visuals have become much less functional, some of them even useless at all.
I am sure if there were an option when using iframe without allow-downloads flag to prompt for user agreement to download, it would be much better and would solve my new problem.
sanederchik
on 8 Jul 2020
It looks like we invented sandboxed iframes, but gradually, we are turning them into regular iframes.
I am using regular iframes everywhere and it works great. If you are afraid that the page inside a frame will be "evil", don't use it into your page.
photopea
on 8 Jul 2020
We had some power BI custom visuals, which used to export the visual data in custom format than the default way provided by Microsoft. They were functioning great, but now because of this restriction all of our visuals became useless. As @sanederchik suggested, showing a prompt to the user when a sandboxed iframe downloads a file would be a great idea.
arjunanag
on 3 Sep 2020
Related issues
travisleithead
·
4Comments
tontonsb
·
3Comments
lazarljubenovic
·
4Comments
jyasskin
·
3Comments
mustaqahmed
·
4Comments
Most helpful comment
We had some power BI custom visuals, which used to export the visual data in custom format than the default way provided by Microsoft. They were functioning great, but now because of this restriction all of our visuals became useless. As @sanederchik suggested, showing a prompt to the user when a sandboxed iframe downloads a file would be a great idea.