問題描述

我有一個這樣的下載鏈接:

<a href="foo.xls" download="bar.xls">Foobar</a>

這在同一臺服務器上下載文件時工作正常，但從另一臺服務器(在本例中為 Azure blob 存儲)下載時，文件名保持為foo.xls"，即使 HTTP 響應返回以下標頭:

訪問控制允許來源:*

這是設計使然，還是有可能我可以將另一個標頭添加到 HTTP 響應中以使其正常工作?

是的，CORS 標頭對 download 屬性沒有影響是設計使然.只有兩種瀏覽器支持 download 屬性，Firefox 和 Chrome，兩種瀏覽器對跨域文件的政策不同.

Chrome 版本 65 之前實際上確實允許跨域文件的 download 屬性，沒有 CORS 標頭，但 Firefox 選擇不這樣做，理由是潛在的社會工程攻擊.

MDN 在 a 標記 的download 屬性部分，此后的行為沒有改變.

在 Firefox 20 中，此屬性僅適用于指向同源資源的鏈接.

此 Bugzilla 報告討論了安全問題和使用 CORS 的可能性.

當用戶點擊此類鏈接時，系統會提示用戶是否想下載.用戶似乎很容易犯錯認為原始網站上的某些東西正在下載的，而不是從 bank.com 下載的.

能不能用同源和CORS來實現(Access-Control-Allow-Origin) 如果您質疑跨來源，請記住安全?這對 Web 應用程序非常有用(創建 Blob使用 JS 并讓用戶用一些有意義的名稱下載它)

Google 反對為此使用 CORS.

還有這個 Bugzilla 報告，總結了他們從另一個錯誤中做出的決定報告.

此外，跨源下載在 Google Chrome 中也能完美運行.

是的，我們認為他們這樣做是在添加安全漏洞.

Bugzilla 問題似乎不排除將來使用 CORS 進行跨域 download 屬性支持的可能性，但現在使用 CORS 標頭對 <代碼>下載屬性.如果其他瀏覽器開始支持該屬性，則可能尚未達成共識.

為了完整起見，當然有 Content-Disposition 標頭，您可以使用它來強制從其他域下載，但這不提供與 相同的功能下載 屬性.不過它確實有更好的瀏覽器支持.

I have a download link like so:

<a href="foo.xls" download="bar.xls">Foobar</a>

This works fine when downloading a file on the same server, but when downloading from another server (Azure blob storage in this case) the filename stays as "foo.xls", even though the HTTP response comes back with the following header:

Access-Control-Allow-Origin: *

Is this by design or is there potentially another header I can to add to the HTTP response to get this to work?

Yes, it is by design that the CORS headers have no affect on the download attribute. There are only two browsers that support the download attribute, Firefox and Chrome, and both browsers have a different policy on cross-origin files.

Chrome versions prior to 65 actually did allow the download attribute on cross-origin files, without CORS headers, but Firefox chose not to, citing potential social-engineering attacks.

MDN documents this behavior for Firefox 20 under the download attribute section for the a tag, behavior that has not changed since.

In Firefox 20 this attribute is only honored for links to resources with the same-origin.

This Bugzilla report discussed the security concerns and the possibility of using CORS.

When the user clicks such a link, the user will be prompted if they want to download. It seems very easy for the user to make the mistake of thinking that something on the original website is being downloaded, and not something from bank.com.

Would it be possible to implement it with same-origin and CORS (Access-Control-Allow-Origin) in mind if you are questioning cross origin security? This is very useful feature for web applications (create Blob using JS and let user download it with some meaningful name)

Google was opposed to using CORS for this.

There's also this Bugzilla report, which summarizes their decision from the other bug report.

Also, cross origin downloads are working perfectly in Google Chrome.

Yes, and we think they're adding security bugs by doing that.

The Bugzilla issues don't seem to rule-out the possibility of using CORS for cross-origin download attribute support in the future, but right now using CORS headers does not do anything for the download attribute. It's possible that if other browsers start supporting the attribute, a consensus may yet be reached.

For sake of completeness, there is of course the Content-Disposition header which you can use to force a download from the other domain, but this does not provide the same functionality as the download attribute. It does have better browser support though.

這篇關于從另一臺服務器下載時，HTML5 下載屬性不起作用，即使 Access-Control-Allow-Origin 設置為 all (*)的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！