Allow downloads from hosted documents#11
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7e68914. Configure here.
| headers: { | ||
| "Content-Type": "text/html; charset=utf-8", | ||
| "Content-Security-Policy": "sandbox allow-scripts", | ||
| "Content-Security-Policy": "sandbox allow-scripts allow-downloads", |
There was a problem hiding this comment.
Downloads blocked in Firefox
Medium Severity
Firefox still does not honor allow-downloads on the CSP sandbox directive (open Bugzilla 1653678). Hosted docs are constrained by both the iframe sandbox and the /raw CSP, and those flag sets combine as a union, so the CSP layer can keep downloads blocked in Firefox even though the iframe token is present. Chromium/WebKit are fine; the shell viewer path is the one that breaks for Firefox users.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 7e68914. Configure here.


summary
testing
npm testnpm run buildNote
Low Risk
Narrow sandbox capability change on already script-isolated user HTML; no auth or session surface changes.
Overview
Enables user-initiated file downloads from hosted HTML inside the comment viewer iframe and on direct
/d/:slug/rawloads, without relaxing the opaque-origin isolation model.Both surfaces now use
allow-downloadsalongsideallow-scripts: the iframesandboxinCommentsShelland the raw route’sContent-Security-Policy: sandboxheader. Comments inraw/route.tswere updated to state that scripts still run on a unique opaque origin and that downloads are permitted, while cookies, tokens, and same-origin storage remain unreachable.Reviewed by Cursor Bugbot for commit 7e68914. Bugbot is set up for automated code reviews on this repo. Configure here.