How Mega does to save a file to harddrive without requiring permission

Question

I'm not sure if the place to ask this question so feel free to move my question elsewhere or closed it.
I have been told that Javascript can write and read from disk only when an explicit event like drag & drop happen on the browser and gave it a handle to a file.

In the case of Mega(ex upload) when you click download you are directly saving a file to disk without being asked to save it or installing any extension your browser.
Is it a feature of Javascript or HTML 5 because in my opinion it means a terrible security issue in this case.

Edit 1: So my question is, how do Mega manage to write on disk without showing you the Save to dialog of your browser popped up and self determining where to put the file

Answer 1

The question is somewhat vague, to answer properly maybe we need more information about your system and browser vendor/version. Mega uses some really cool stuff to handle downloads and files.

They use, depending of the client environment:

• Filesystem API (Chrome / Firefox Extension polyfill);
• Adobe Flash SWF Filewriter (fallback for old browsers);
• BlobBuilder (IE10/IE11);
• MEGA Firefox Extension (deprecated);
• Arraybuffer/Blob Memory Based;
• MediaSource (experimental streaming solution);
• IndexedDB blob based (Firefox 20+).

With all these methodologies, download directly without user intervention/authorization will rely on the browser compatibility. I am using Firefox on Linux, when I choose a file from Mega and click to download, a dialog box shows up so, in matter of effect, I have to authorize the download. But if you look to this screnshot, in the 'from' field you will see the word 'blob', thats a sign of a Blob object from the File API W3C Specification.

You can see a Blob API utilization example in this fiddle and inspecting Mega's source code (case 4: Arraybuffer/Blob Memory Based, lines 15, 293, 324, 802).

window.URL = window.URL || window.webkitURL;

var blobExample = new Blob(['\
<!doctype html>\n\
<html>\n\
<body>Hello from Blob file!</body>\n\
</html>'], {type: 'text/html'});

var blobLink  = document.createElement('link');
blobLink.rel  = 'html';
blobLink.href = window.URL.createObjectURL(blobExample);
document.body.appendChild(blobLink);

var anchor = document.createElement('a');
anchor.href = window.URL.createObjectURL(blobExample);
anchor.download = 'blob-example.html';
anchor.textContent = 'Download the binary large object';
document.body.appendChild(anchor);

=)

Answer 2

Strange... I'm using Mega on daily basis and it always shows the Save to dialog. Doesn't this depends on your browser settings?

I'm not having enough reputation to add a comment, so I had to post this as an answer, sorry for that.

Answer 3

It's just a matter of sending the right headers in the response - so the browser knows to save instead of open. It's nothing to do with javascript or HTML5.

For example, in PHP:

header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"'); 
header('Content-Transfer-Encoding: binary');
header('Connection: Keep-Alive');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));

I don't know what server-side technology Mega uses but this is the basic premise.

Edit: in response to your edited question about why the 'Save As' dialog does not appear, well, that's a browser setting. Chrome, for example, will by default save to your Downloads folder (on Windows) without prompting.