1

I have a web site that exports reports to various file formats by posting a form with a target in an iframe, and the http response is a file that downloads.

In the past, my web server and html/js assets were all hosted together in same domain, and all the browsers worked fine.

I just moved my static assets to a cdn on a different domain, and allow that domain on my web site using access-control-allow-origin, x-frame-options allow-from, and content-security-policy frame-ancestors. The report exporting works fine on Chrome and Firefox, but no longer works on either Microsoft Edge or IE browsers.

On Edge, the developer tools network trace shows that the POST to the server is "Pending" and never completes, yet there is no server log of the request. On IE, the HTTP POST does complete fine, but the browser doesn't prompt to save the file. On both browsers, the developer tools show that there is no Origin HTTP header, which is crucial for setting thex-frame-options response. So that might explain why IE refused to save the file. But Edge doesn't even submit the request.

My questions are:

  1. Why won't edge submit the HTTP POST?
  2. Why does neither browser send the HTTP Origin header? Am I supposed to rely on theReferer header?
jacob
  • 2,762
  • 1
  • 20
  • 49
  • the f12 console tab should list and XSS and security errors. In IE first select Tools>Internet Options>Advanced tab, check "Always record developer console messages". Save changes. The File>Properties menu will tell you which IE security zone the host maps to... Edge does not use security zones, but its f12>Console should show you any security or xss errors. – Rob Parsons May 06 '18 at 22:21
  • Thanks @RobParsons. Please see my answer below which seems to be the more reliable approach. – jacob May 06 '18 at 22:35
  • thanks for the fb. Glad to hear you found a workable solution. – Rob Parsons May 09 '18 at 20:18

1 Answers1

0

I ended up coming to the conclusion that the approach of posting a form to an iframe in order to download a file is outdated and likely to be less than fully supported by browsers, particular in cors scenario. Instead, I think using the html5 files api may be the more modern approach, as explained here: https://stackoverflow.com/a/23797348/1237919

Indeed, I tried that approach and it works great in all browsers!

jacob
  • 2,762
  • 1
  • 20
  • 49