Force download files protected with auth headers

Question

By several REST clients the credentials are sent with every request through custom HTTP authorization headers to the REST service. Is there a way to force file download in the browser when accessing files stored in the REST service, is protected with this kind of authentication?

Force file download: Content-Disposition: attachment.
Force file download in browser: document.location.href="{downloadURL}".
There is no way to force file download with XHR.
REST requests must be stateless (according to the statelessness constraint of REST), so the session must be maintained by the REST client, and that's why I have to send credentials with every request.

Patently these headers are not providing the protection you are looking for. It might be helpful if you explained what the threat you are trying to protect against is. — symcbean, Jun 02 '14 at 16:14

score 3 · Accepted Answer · answered Jun 02 '14 at 17:36

3

With a recent browser, you can use client-side JavaScript to prompt the user to save an arbitrary blob (including one you just downloaded from the server using XmlHttpRequest 2). You can even specify a filename.

See: https://github.com/eligrey/FileSaver.js

One caveat is that I believe the data will have to be cached in memory, rather than written to disk incrementally as it is downloaded, as would be done with a normal file download, which may be a problem for a large file.

answered Jun 02 '14 at 17:36

jbms

466
2
3

I don't think the memory is a problem, currently firefox uses 2GB memory, so 10-20MB for a file is not a problem. Is it possible to save word doc, excel and pdf with this? – inf3rno Jun 02 '14 at 18:48
I'll need at least PDF to serve contracts. – inf3rno Jun 02 '14 at 19:24
1

It will work with any file type. – jbms Jun 02 '14 at 20:42

Force download files protected with auth headers

1 Answers1