You will receive such error:
_Download is disallowed. The frame initiating or instantiating the download is sandboxed, but the flag ‘allow-downloads’ is not set. See https://www.chromestatus.com/feature/5706745674465280 for more details._
Download should work.
I have found such tread in google bug tracker:
https://issuetracker.google.com/issues/157368720
So there is no workaround right now.
Server address: -
Server OS: Ubuntu 18.04
Webserver: nginx
Browser: Chrome 83.0.4103+
PrivateBin version: 1.3.4
I can reproduce this issue on https://privatebin.net: No (Because it doesn't support file upload)
Thank you very much for your report! I can reproduce this with various Chrome builds (Chrome, Chromium) on different environments (Linux, MacOS) with version 83.
As far as I can tell, we are affected because our recommended Content Security header includes the sandbox clause, which "enables a sandbox for the requested resource similar to the
I'll do some more tests and will report back with a recommendation on how to change this configuration option on instances that have file uploads enabled, to support chrome 83.
TL;DR recommendations on instances with file upload:
allow-downloads to the sandbox policies in the cspheader configuration option in the file cfg/conf.php and ensure the option is not commented. If you use the recommended defaults, it should end up looking like this:cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
Further details:
cspheader as described above will work there as well. Until 1.1 we did implement the attachment download as a data URL, which apparently isn't getting protected by the sandbox in Chrome 83.allow-downloads isn't a documented, standardized or supported setting! Firefox warns in the developer console that the invalid sandbox setting couldn't be applied, Chrome seems to apply any sandbox settings that it supports for iframes.Question for the other maintainers: As far as I can tell, adding the above setting doesn't have negative side effects except the warning in Firefox. Would you mind if I add it to the defaults in Configuration.php and the cfg/conf.sample.php, even though this isn't in any standard?
You can test the behaviour for yourselfs with the above suggested change to the CSP here with this sample image.
Thanks a lot! Config fix helped!
Question for the other maintainers: As far as I can tell, adding the above setting doesn't have negative side effects except the warning in Firefox. Would you mind if I add it to the defaults in Configuration.php and the cfg/conf.sample.php, even though this isn't in any standard?
Sure, do, no problem here.
Though clicking through the standards the current (10 June 2020) WHATWG draft seems to define that sandbox attribute added this March by a Google dev as a security feature.
So it may at some time be a standard, and then possibly come to (MDN) docs and Firefox etc.
See also: https://github.com/whatwg/html/pull/4293
Funnily that is the same as the aim of allow-downloads-without-user-activation (only this one is supposed to work when the user interacts with the iframe, i.e. in our case that would likely be enough), but that is deprecated according to MDN. However, whether that gets (re)implemented is still in discussion: https://github.com/whatwg/html/issues/5513
Though, yet again, maybe this is already implemented in Chrome/ium 73 at least, according to news articles?
Thank you for the additional research.
I reported this issue to Chrome at https://bugs.chromium.org/p/chromium/issues/detail?id=1106906 Content Security Policy standard does not define "allow-downloads" for the sandbox directive
As they say there and as we also said, it is actually defined, so it's not a bug as far as I see/IMHO. I'll guess the Chromeium devs will close the issue, too…
Well, it does have a bit of weird taste: The Chrome developer in question introduced this new standard into the WHATWG draft and immediately implement it, leaving the other browser no choice in either implementing it as well, before the standard is discussed and agreed upon or not support a feature to protect users from drive-by-downloads. This is very reminiscent of Microsofts behaviour of forcing new "standards" into existence and having the only browser that allows to benefit from it, during the browser wars in the 90ies.
In this one case, I do see a benefit of this feature and assume it is well intended - it would just have been more polite to wait till the flag would have been agreed upon in the standard committee instead of just unilaterally implementing it, running the risk that if WHATWG changes the flags name and we all end up having to change it twice or adding two flags instead of one, to support all browser versions. Let's see.
Most helpful comment
TL;DR recommendations on instances with file upload:
allow-downloadsto thesandboxpolicies in thecspheaderconfiguration option in the filecfg/conf.phpand ensure the option is not commented. If you use the recommended defaults, it should end up looking like this:Further details:
cspheaderas described above will work there as well. Until 1.1 we did implement the attachment download as a data URL, which apparently isn't getting protected by the sandbox in Chrome 83.allow-downloadsisn't a documented, standardized or supported setting! Firefox warns in the developer console that the invalid sandbox setting couldn't be applied, Chrome seems to apply any sandbox settings that it supports for iframes.Question for the other maintainers: As far as I can tell, adding the above setting doesn't have negative side effects except the warning in Firefox. Would you mind if I add it to the defaults in Configuration.php and the cfg/conf.sample.php, even though this isn't in any standard?
You can test the behaviour for yourselfs with the above suggested change to the CSP here with this sample image.