Notes on insecure (HTTP) downloads
This commit is contained in:
parent
9088dfd430
commit
d956339c8f
@ -282,6 +282,19 @@ client browser. Some APIs do not give any feedback.
|
||||
|
||||
:::
|
||||
|
||||
:::caution pass
|
||||
|
||||
In insecure (HTTP) contexts, Google Chrome will block downloads by default. The
|
||||
following screenshot was taken in Chrome 126.0.6478.127:
|
||||
|
||||
![Insecure download blocked](pathname:///files/dlblk.png)
|
||||
|
||||
This is a browser limitation and no pure JavaScript library can work around the
|
||||
issue. See [Issue #3145](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145) in
|
||||
the SheetJS bug tracker for more details.
|
||||
|
||||
:::
|
||||
|
||||
### HTML5 Download Attribute
|
||||
|
||||
_Writing Files_
|
||||
@ -436,6 +449,8 @@ drop_dom_element.addEventListener("dragenter", suppress, false);
|
||||
At the time of writing, browser support was fairly limited. Chrome introduced
|
||||
the feature in version 86. Safari did not support File System Access API.
|
||||
|
||||
The File System Access API is only available in secure (HTTPS) contexts.[^4]
|
||||
|
||||
:::
|
||||
|
||||
:::caution pass
|
||||
@ -819,4 +834,5 @@ Desktop and mobile apps have their own specific APIs covered in separate demos:
|
||||
|
||||
[^1]: See ["Input Type" in "Reading Files"](/docs/api/parse-options#input-type)
|
||||
[^2]: See ["Supported Output Formats" type in "Writing Files"](/docs/api/write-options#supported-output-formats)
|
||||
[^3]: See ["Buffers and TypedArrays"](https://nodejs.org/api/buffer.html#buffers-and-typedarrays) in the NodeJS documentation.
|
||||
[^3]: See ["Buffers and TypedArrays"](https://nodejs.org/api/buffer.html#buffers-and-typedarrays) in the NodeJS documentation.
|
||||
[^4]: See [issue 3145 in the SheetJS bug tracker](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145#issuecomment-11074) for more details. Special thanks to `@sjoenH`!
|
@ -474,3 +474,20 @@ to an `index.html` file, bypassing any third-party post-processing
|
||||
|
||||
There are known bugs with the SWC minifier (used in Next.js 13+). The original
|
||||
minifier can be enabled by setting `swcMinify: false` in `next.config.js`.
|
||||
|
||||
#### This file should be served over HTTPS
|
||||
|
||||
`writeFile` uses platform APIs to download files. In browsers, `writeFile` uses
|
||||
the [`download` attribute](/docs/demos/local/file/#html5-download-attribute).
|
||||
|
||||
Newer versions of Google Chrome and other browsers will block these downloads
|
||||
from "insecure contexts" (when served over HTTP rather than HTTPS). Users may be
|
||||
presented with the option to "keep" or "save" the file:
|
||||
|
||||
![Download blocked](pathname:///files/dlblk.png)
|
||||
|
||||
These limitations are enforced by the browser. It is strongly recommended to
|
||||
serve websites over HTTPS when possible.
|
||||
|
||||
See [issue #3145](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145) for a
|
||||
longer discussion.
|
||||
|
BIN
docz/static/files/dlblk.png
Normal file
BIN
docz/static/files/dlblk.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 21 KiB |
Loading…
Reference in New Issue
Block a user