Skip to content

allow linking to downloadable data: URIs from notifications

Administrator requested to merge notif-download-links into master

Created by: sqs

This makes it possible for extensions to show notifications with messages that contain a link that, when clicked, will download a file in the user's browser. To do this, the extension would call

sourcegraph.app.activeWindow.showMessage(
  '<a href="data:text/plain,foo" download="bar.txt">Download</a>',
  ...
)

This will be used by an extension that allows users to export the search results as CSV (https://github.com/sourcegraph/sourcegraph-search-export).

image

SECURITY: Previously, <a href> data: URIs and the <a download> attribute were removed by the Markdown sanitizer. This commit allows those (if an option allowDataUriDownloads is set), and the NotificationItem sets allowDataUriDownloads to true. Any relaxation of HTML sanitization should be examined carefully for risk. In this case, there is no additional risk because this relaxation only allows a link to be displayed that triggers a download. An extension could already effectively call window.open or print a normal https: link to another cross-domain page that could immediately trigger the same download upon page load.

Merge request reports

Loading