Stack Overflow for Teams is a private, secure spot for you and
your coworkers to find and share information.
Learn more
A recent update to Chrome has begun blocking XLSX downloads coming from our website.
I have read Chrome's documentation and guidelines about how they determine if something is potentially harmful but it makes no mention of how to resolve issues outside of reaching out to them. Our files and our site meet all the guidelines they lay out. Most of their documentation is based around executable downloads so it's not clear how this information effects simple file downloads.
The site and the file are served from the same host using HTTPS. The download is driven by an anchor tag that links to an API which serves the file.
Other similar APIs that serve generated CSV files or PDF files of the same data are not effected.
I have also modified our file generation to output XLS files instead of XLSX, but those are blocked too.
Below are the headers of the response, as far as I know everything in regards to disposition or content type are correct so I don't see chrome using those to block the file.
Cache-Control: must-revalidate, private
Connection: keep-alive
Content-disposition: attachment; filename="test-file.xlsx"
Content-Type: application/xlsx
Date: Fri, 17 Jul 2020 16:04:41 GMT
Expires: -1
Server: nginx
transfer-encoding: chunked
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
I have also verified that the files are in fact not dangerous, they contain simple excel data and nothing strange is being injected or is compromised.
We have also tested various download methods, direct anchor links, form posts, blobs etc. It is always blocked.
Is there a specific request/response header or download method or flag I'm missing that will stop chrome from blocking the files?
Updates
I have confirmed that this issue effected a 83.x version of chrome as well as the latest version Version 84.0.4147.89
Thanks to @Alex, we have confirmed this issue is not present on the Linux or Windows version of Chrome. OSX Only.
The issue disappeared for 20-30 minutes earlier today and then returned.
Users report the issue is present all the way back to Chrome 80+.
–
–
–
–
–
–
We had a similar problem earlier today. Our web-site uses TAR files for exchanging data (upload/download). HTTPS is used for all communication. The files are stored on S3 and the user is redirected to S3 to download the file. This setup has been working fine for the last couple of years.
Suddenly, this morning around 11:20am (Eastern Time) most of the users started to experience download issues -- the downloaded files were blocked by Chrome. This happened in Chrome only and on multiple platforms (Windows and MacOS, we don't have any Linux users). The issue was reported by multiple users, most of the users in fact. Upgrading from v83 to the latest v84 did not help.
Then around 12:50pm (1.5 hours later), the issue was gone. 10-20 minutes later, it appeared again. It seems that the issue is gone again.
I have been running my Chrome (v83) non-stop since yesterday. During the first "wave" I was constantly experiencing this issue than constantly not seeing it at all. Then the "second wave" began, and I started seeing it again, and now it is gone.
For those following this live, the Chromium team is tracking and fixing this: https://bugs.chromium.org/p/chromium/issues/detail?id=1106858
Comment 8 by vakh@chromium.org on Fri, Jul 17, 2020, 2:42 PM EDT
We're in the process of rolling out a fix for this issue so if you try now, it's likely you won't see a warning.
If you still do, please try again in approximately 30 minutes.
