Skip to content

Allow downloads from hosted documents#11

Merged
sjmiller609 merged 1 commit into
mainfrom
hypeship/allow-doc-downloads
Jul 13, 2026
Merged

Allow downloads from hosted documents#11
sjmiller609 merged 1 commit into
mainfrom
hypeship/allow-doc-downloads

Conversation

@sjmiller609

@sjmiller609 sjmiller609 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

summary

  • allow user-initiated downloads from hosted document iframes
  • keep hosted documents isolated in an opaque sandbox origin

testing

  • npm test
  • npm run build

Note

Low Risk
Narrow sandbox capability change on already script-isolated user HTML; no auth or session surface changes.

Overview
Enables user-initiated file downloads from hosted HTML inside the comment viewer iframe and on direct /d/:slug/raw loads, without relaxing the opaque-origin isolation model.

Both surfaces now use allow-downloads alongside allow-scripts: the iframe sandbox in CommentsShell and the raw route’s Content-Security-Policy: sandbox header. Comments in raw/route.ts were updated to state that scripts still run on a unique opaque origin and that downloads are permitted, while cookies, tokens, and same-origin storage remain unreachable.

Reviewed by Cursor Bugbot for commit 7e68914. Bugbot is set up for automated code reviews on this repo. Configure here.

@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
justhtml Ready Ready Preview, Comment Jul 13, 2026 8:31pm

@sjmiller609 sjmiller609 marked this pull request as ready for review July 13, 2026 20:37
@sjmiller609 sjmiller609 merged commit a510b30 into main Jul 13, 2026
5 checks passed

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 7e68914. Configure here.

Comment thread app/d/[slug]/raw/route.ts
headers: {
"Content-Type": "text/html; charset=utf-8",
"Content-Security-Policy": "sandbox allow-scripts",
"Content-Security-Policy": "sandbox allow-scripts allow-downloads",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downloads blocked in Firefox

Medium Severity

Firefox still does not honor allow-downloads on the CSP sandbox directive (open Bugzilla 1653678). Hosted docs are constrained by both the iframe sandbox and the /raw CSP, and those flag sets combine as a union, so the CSP layer can keep downloads blocked in Firefox even though the iframe token is present. Chromium/WebKit are fine; the shell viewer path is the one that breaks for Firefox users.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7e68914. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant