By several REST clients the credentials are sent with every request through custom HTTP authorization headers to the REST service. Is there a way to force file download in the browser when accessing files stored in the REST service, is protected with this kind of authentication?
Force file download: Content-Disposition: attachment
.
Force file download in browser: document.location.href="{downloadURL}"
.
There is no way to force file download with XHR.
REST requests must be stateless (according to the statelessness constraint of REST), so the session must be maintained by the REST client, and that's why I have to send credentials with every request.