Notes on insecure (HTTP) downloads

2024-07-09 03:52:47 -04:00 · 2024-07-09 03:52:47 -04:00 · d956339c8f
commit d956339c8f
parent 9088dfd430
3 changed files with 34 additions and 1 deletions
--- a/docz/docs/03-demos/27-local/01-file.md
+++ b/docz/docs/03-demos/27-local/01-file.md
@ -282,6 +282,19 @@ client browser. Some APIs do not give any feedback.

 :::

+:::caution pass
+
+In insecure (HTTP) contexts, Google Chrome will block downloads by default. The
+following screenshot was taken in Chrome 126.0.6478.127:
+
+![Insecure download blocked](pathname:///files/dlblk.png)
+
+This is a browser limitation and no pure JavaScript library can work around the
+issue. See [Issue #3145](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145) in
+the SheetJS bug tracker for more details.
+
+:::
+
 ### HTML5 Download Attribute

 _Writing Files_
@ -436,6 +449,8 @@ drop_dom_element.addEventListener("dragenter", suppress, false);
 At the time of writing, browser support was fairly limited.  Chrome introduced
 the feature in version 86.  Safari did not support File System Access API.

+The File System Access API is only available in secure (HTTPS) contexts.[^4]
+
 :::

 :::caution pass
@ -819,4 +834,5 @@ Desktop and mobile apps have their own specific APIs covered in separate demos:

 [^1]: See ["Input Type" in "Reading Files"](/docs/api/parse-options#input-type)
 [^2]: See ["Supported Output Formats" type in "Writing Files"](/docs/api/write-options#supported-output-formats)
-[^3]: See ["Buffers and TypedArrays"](https://nodejs.org/api/buffer.html#buffers-and-typedarrays) in the NodeJS documentation.
+[^3]: See ["Buffers and TypedArrays"](https://nodejs.org/api/buffer.html#buffers-and-typedarrays) in the NodeJS documentation.
+[^4]: See [issue 3145 in the SheetJS bug tracker](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145#issuecomment-11074) for more details. Special thanks to `@sjoenH`!
--- a/docz/docs/09-miscellany/02-errors.md
+++ b/docz/docs/09-miscellany/02-errors.md
@ -474,3 +474,20 @@ to an `index.html` file, bypassing any third-party post-processing

 There are known bugs with the SWC minifier (used in Next.js 13+). The original
 minifier can be enabled by setting `swcMinify: false` in `next.config.js`.
+
+#### This file should be served over HTTPS
+
+`writeFile` uses platform APIs to download files. In browsers, `writeFile` uses
+the [`download` attribute](/docs/demos/local/file/#html5-download-attribute).
+
+Newer versions of Google Chrome and other browsers will block these downloads
+from "insecure contexts" (when served over HTTP rather than HTTPS). Users may be
+presented with the option to "keep" or "save" the file:
+
+![Download blocked](pathname:///files/dlblk.png)
+
+These limitations are enforced by the browser. It is strongly recommended to
+serve websites over HTTPS when possible.
+
+See [issue #3145](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145) for a
+longer discussion.
--- a/docz/static/files/dlblk.png
+++ b/docz/static/files/dlblk.png