Browser event when downloaded file is saved to disk

I have sensitive files to download to users, and each user is permitted to download a given file exactly once. If the download fails, I want to permit the re-download, but not otherwise.

It's not sufficient to rely on logging/processing the file download request at the server - I need to know deterministically when the file is complete and in place at the client, since many of my users work in an environment with frequent connectivity drops.

The most straightforward way for this to work would be if the browser exposed a "file saved" event from the Save As... dialog that could be wired to a JavaScript function on the download page (which could post back to the server). But, intuition suggests there might be security holes if browsers exposed this functionality, as it sneaks somewhat outside the sandbox. I'm not sure this is even possible.

I found several other questions in this area, but nothing about this problem specifically.

Any ideas?

Edit: I should not have used the word "security" in the original question, sorry for triggering the red herrings.

Edit 2: My "security" phrasing misled folks into offtopic technical security issues, but both of you confirmed my suspicion that "no, there's no browser support for that." I'm marking the first commenter with the answer since his first sentence had what I was looking for. Thanks all.

Answers


There's no such browser event in JavaScript and even if there was you can not trust the user's browser to provide security for you.

You're better off using a GUID to generate a unique URL for each download. You can then for example:

  • let the URL be valid only for a specific time period
  • allow transfers only from a specific IP address associated with the unique URL
  • let your server-side code detect when the content for a unique URL has been fully transferred and then invalidate the URL.

Let me clarify the last bullet. Say you're using Java - you will in.read(buffer) and out.write(buffer) in a loop until EOF. If the client disconnects you will receive an IOException during out.write() and will be able to tell a successful download from an interrupted one. On other platforms, I'm sure there are ways to tell whether the connection was lost or not.

EDIT: You could actually fire a browser event using the trick outlined in the accepted answer of one of the questions you linked to. That would however not be a reliable solution to limit the number of downloads.


This is a good solution:

http://gruffcode.com/2010/10/28/detecting-the-file-download-dialog-in-the-browser/

It basically works by setting a cookie in the reponse header of the downloaded file, so javascript periodically can check for the existence of this cookie...


Why is it important that the file can be downloaded "exactly once"? Once the file is downloaded it could be copied, so is there really a security issue with letting the same user download the file more than once?

If not, could you do something like this:

  1. Generate a unique URL to download a given file. (Use a GUID to obsfucate if necessary)
  2. Associate that URL with USER INFO (browser type, IP address, etc) AND A TIME WINDOW. Only allow downloads from that user and during the window.
  3. The window should be long enough for the user to notice the transfer failed and to re-try once or twice, but no longer.

The end result is:

  1. You can be reasonably sure the file is only being downloaded by the intended recipient.
  2. You can be sure that recipient can only download the file during a short window.
  3. The same user could download the file more than once, but who cares? It's no different than making a local copy of the first file.

If you're really worried about it, log each download request and run a scheduled report for files that were downloaded more than once. If anything looks fishy you can then examine security logs, talk to the user, etc.


Need Your Help

When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?

java spring spring-mvc spring-security

I have a Spring MVC web app which uses Spring Security. I want to know the username of the currently logged in user. I'm using the code snippet given below . Is this the accepted way?

C++ unordered_map using a custom class type as the key

c++ hash g++ unordered-map hashtree

I am trying to use a custom class as key for an unordered_map, like the following: