I have a download link like so:
<a href="foo.xls" download="bar.xls">Foobar</a>
This works fine when downloading a file on the same server, but when downloading from another server (Azure blob storage in this case) the filename stays as "foo.xls", even though the HTTP response comes back with the following header:
Is this by design or is there potentially another header I can to add to the HTTP response to get this to work?
Best How To :
Yes, it is by design that the CORS headers have no affect on the
download attribute. There are only two browsers that support the
download attribute, Firefox and Chrome, and both browsers have a different policy on cross-origin files.
Chrome actually does allow the
download attribute on cross-origin files, without CORS headers, but Firefox chose not to, citing potential social-engineering attacks.
MDN documents this behavior for Firefox 20 under the
download attribute section for the
a tag, behavior that has not changed since.
In Firefox 20 this attribute is only honored for links to resources with the same-origin.
This Bugzilla report discussed the security concerns and the possibility of using CORS.
When the user clicks such a link, the user will be prompted if they want to download. It seems very easy for the user to make the mistake of thinking that something on the original website is being downloaded, and not something from bank.com.
Would it be possible to implement it with same-origin and CORS (Access-Control-Allow-Origin) in mind if you are questioning cross origin security? This is very useful feature for web applications (create Blob using JS and let user download it with some meaningful name)
Google was opposed to using CORS for this.
There's also this Bugzilla report, which summarizes their decision from the other bug report.
Also, cross origin downloads are working perfectly in Google Chrome.
Yes, and we think they're adding security bugs by doing that.
The Bugzilla issues don't seem to rule-out the possibility of using CORS for cross-origin
download attribute support in the future, but right now using CORS headers does not do anything for the
download attribute. It's possible that if other browsers start supporting the attribute, a consensus may yet be reached.
For sake of completeness, there is of course the
Content-Disposition header which you can use to force a download from the other domain, but this does not provide the same functionality as the
download attribute. It does have better browser support though.