What causes IE8 to block some file downloads?

Question

This is causing some grief among my IE8 users.

On my site I have file downloads launched via php script (file_download.php?file=X123). In this page it records some data to a database, then uses headers to force the download. Everything on this page seems to works fine on all browsers.

Its how I call this page that seems to be giving me the annoying little "To help protect your security - Internet Explorer has blocked site from downloading files to your computer".

If I use a regular href tag <a href="/file_download.php?file=X123">download</a> it launches correctly (with no IE blocked download message).

But when I launch using a jQuery script it gives me this warning.

So I figured IE8 might be suspicious of javascript redirects, so I made a simple JS function on the local page, but it worked no problem.

So it seems jQuery may be the culprit... is it because the window.location event is called from another page or script source? Does anyone know how this works?

I will continue testing but for now, could anyone shine some light on this issue? Asking users to tweak their IE settings is not an option.

Thanks

-------- jQuery Code --------------

            jQuery("a").click(function(e){

            if(jQuery(this).attr("href") !== undefined){

                downloadLink = jQuery(this).attr("href");
                thingClicked = jQuery(this);

                dll_io = downloadLink.indexOf("/file_download.php?file_id=");
                dll_io2 = downloadLink.indexOf("/file_download_safe.php?file_id=");


                    if(dll_io == 0 || dll_io2 == 0){

                        e.preventDefault();

                        jQuery.getScript("/includes/get_login.php?file_id=" + downloadLink + "&dll_io=" + dll_io + "&dll_io2=" + dll_io2 + "&last_url=" + document.URL, function(rp){
                            //get_login.php sets 'requested_dl_id' cookie

                            if(dll_io2 == 0){
                                window.location = downloadLink;
                            }else{  
                                if(rp == "allow"){
                                    window.location = downloadLink;
                                }else{
                                    jQuery("#download_prompt").click();
                                }
                            }//end condition: if file_download_safe -> set cookie and send to page. IF file_download -> set cookie and decide to prompt or not.

                        });
                    }//end if fd == file_download.php
            }//end only execute code if 'a' has a defined 'href' attribute

        });

----update----

I have now educated myself enough to understand the cause of this problem - but no simple solution. The cause is IE7 & 8 automatically block downloads that are launched from non-user events. So an onclick event will launch a download, but not a jQuery script. Still searching for a workaround.

Answer 1

Using JavaScript to trigger a download is a common way to distribute malware (eg: a banner ad might trigger downloads on all sites showing the ad).

It doesn't surprise me that it triggers a "red flag" and increases the security precautions.

I think your only option is not to use javascript to trigger the download. Is there any other way you can do it?

Answer 2

i can't reenable "To help protect your security" thingie, but based on this article window.location might be the culprit.

have you try

$('<iframe>', {src:downloadLink}).appendTo('body');

in place of

window.location = downloadLink;