Bypassing the Internet Explorer Security Bar Pop-up

Mar 23, 2007

Recently I was working on a tool which offered downloads of a dynamically generated zip file to users via setting window.location.href. This worked fine in browsers which have control of their security issues, such as Firefox and Opera. However, Internet Explorer has over-fixed the issue by displaying a security warning bar along the top of the window for any file downloaded in this fashion other than generic web content types.

Obviously, this bar freaks people out. "EEEK! This website is hacking me!!!!" In addition, my page was dynamically generated and IE has a habit of reloading the page when it changes any security settings; so all the user's previous form selections were lost if they chose to accept the download.

Well, I thought and thought, and thought some more. How could I trigger the download dialogue for my zip file without also triggering IE's security warning bar?

The solution came to me by thinking of the problem from another angle, which was: How can I get IE users to download this file, with a minimum of extra effort wrt Firefox and Opera, and without triggering the security warning bar?

With that in mind, the solution turned out to be simple. This is due to the fact that IE differentiates downloads based on how they were triggered. If a user clicked a link to download a potentially dangerous file, then IE trusts that the user knows what they are doing and does not display the warning bar. It's only when script, or a meta redirect, tries to start a download on its own that IE throws a hissy fit.

Therefore, the solution was to save the dynamically generated file temporarily on the server, then use an interstitial popup containing a clickable link to the file, just for IE users. To keep a minimum number of tabs or windows open, the popup should preferably be a hidden HTML element which is displayed only when the file is ready to download.

In the tool I was building, an AJAX polling function would repeatedly test the server to see if the file existed, and once it was found, it would show a small popup window with a message similar to: "Your file is ready to download. Please click here to complete your download." etc. Then the user clicks the link and gets the file without any silly warnings.

The best thing is that the action is seamless. IE users aren't aware that this popup is especially for them, and - by using some object sniffing - users of other browsers can be directed right to the file, blissfully unaware of any IE hackage.

As an example, I use the following object detection to separate IE from the real browsers:

if (window.sidebar || window.opera) {
  // ... Code for Opera and Mozilla goes here
  window.location.href = "...";
} else {
  // ... Code for IE goes here
  document.getElementById( 'fileLink' ).href = "...";
  document.getElementById( 'filePopup' ).display = "block";

It's one extra click for IE users, and - if you use the HTML element method - no other warnings or browser blocking of any kind except for the generic one on the download dialogue itself.

Hope it can help you! :)

Global Stylesheet Color Changer Ringmaker 3.0-rc1 Released

Comments closed

  • Mar 31, 2007 - 12:44

    # Comment by Tarquin

    Of course, I would prefer something more accurate for other browsers, such as safari based, konqueror based, and icab. But to be fair, this is harmless. yes, some other browsers will get the IE approach, but it doesn't matter, because either way works, it just requires an extra click.

    Nice little trick for IE. Thanks for sharing.