• 0

Using header() to force download not working in Chrome or Firefox


Question

I have created an mp3 downloader script which forces downloads of MP3s that are located outside of the web root. I've received a few support requests saying it's not working.. I originally only tested it in Safari and it worked fine, so I tested it in Chrome and Firefox and can confirm it returns a 404 error in both of those browsers.

In Chrome console it shows: net::ERR_INVALID_RESPONSE

download.php:

header("Content-Description: File Transfer");
header("Content-Type: {$mime}");
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Type: application/force-download"); 
header("Content-Type: application/download");
header("Content-Disposition: attachment; filename={$filename}");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file));
while(ob_get_level()) ob_end_clean();
flush();
readfile($file);
exit;

 

I have checked all paths and variables.. everything is set, exists and readable.

If i remove application/force-download and application-download it loads the in browser mp3 player but returns a 404... so it looks like it can't find the file outside of web root - does Chrome/Firefox not allow that?

It is definitely working in Safari

Any ideas?

4 answers to this question

Recommended Posts

  • 0

Check your Inspect Element tool on Chrome and see if it's blocking it client sided, I ran into issues with loading javascript files / modifying css through an iframe for security reasons. If you're on a windows device using safari, you're using a very outdated version (merely an assumption you're on windows) which may not have included a patch for cross-site anything.

I know that you get into a really grey area when you start using cross-site downloads without the appropriate allow-content headers on the receiving and requesting servers.

  • 0

A few of these headers are meaningless outside of email (Content-Description and Content-Transfer-Encoding), and overwriting the content-type multiple times won't help much either (You ideally want to either use the original mime-type, or application/octet-stream. I have no idea what uses "download" or "force-download").

It returning a 404 is the more likely problem, PHP is actually using the $filename and $mime in the headers right? (Been ages since I've used PHP) It's also odd that you're just downing normal string concatenation for the filesize, but not for other headers.

  • 0
  On 18/08/2015 at 06:00, The_Decryptor said:

A few of these headers are meaningless outside of email (Content-Description and Content-Transfer-Encoding), and overwriting the content-type multiple times won't help much either (You ideally want to either use the original mime-type, or application/octet-stream. I have no idea what uses "download" or "force-download").

It returning a 404 is the more likely problem, PHP is actually using the $filename and $mime in the headers right? (Been ages since I've used PHP) It's also odd that you're just downing normal string concatenation for the filesize, but not for other headers.

Thanks for your input, i removed the 'meaningless' headers and it still works in Safari so i'll leave those out. It didn't fix the chrome issue though.

  • 0

This has always worked for me:

  • $file = "filename.ext";
  •  
  • // Quick check to verify that the file exists
  • if( !file_exists($file) ) die("File not found");
  •  
  • // Force the download
  • header("Content-Disposition: attachment; filename="" . basename($file) . """);
  • header("Content-Length: " . filesize($file));
  • header("Content-Type: application/octet-stream;");
  • readfile($file);

 

This topic is now closed to further replies.
  • Posts

    • I have always wondered if there is any difference between .BAT and .CMD files!
    • I will confirm the Vista hate was ridiculous. They had a point before SP1 and too many didn't use newer components at launch, misleading some to believe it was bad. It really wasn't (after SP1.) The jump from 98/ME to XP didn't get a bad reaction at all from what I remember. 8 was awful. 10 for the most part ran pretty well but people disliked the telemetry and standard MS shenanigans, but 11 is definitely worse in some ways.
    • What I can confirm to not be exaggerations or misinformation is the slowness of the standard right click menus and the Task Manager in Windows 11, even on brand spanking new bare installs.
    • Linux 6.16-rc2: Smaller than usual, but with notable network and bcachefs tweaks by Paul Hill Linus Torvalds, the creator of the Linux kernel, has just released the second release candidate of Linux 6.16. Following the release of Linux 6.15, developers submitted their new features to be merged with Linux 6.16. These release candidates are focused on polishing the kernel before release, following the merging of new features. In his weekly mailing list post, Torvalds noticed that things were pretty quiet this week and that this could be due to developers taking a summer vacation or just taking a break following a large merge window a few weeks ago. This isn’t uncommon at this point in the cycle and Torvalds expects more activity next week. Networking and bcachefs dominate changes The second release candidate, despite being small, still brings some notable changes, namely network drivers, Bluetooth drivers, and bcachefs, a copy-on-write filesystem for Linux. The improvements to network drivers have a direct impact on end users, it means that newer networking hardware works out of the box when you install Linux and existing problematic drivers get fixed. There were also improvements made to the Rust infrastructure and core networking changes. Implementing Rust in the kernel is good for users as it has memory safety built in, leaving hackers less to attack in Linux systems. Rust has received backlash by some opinionated Linux developers who don’t want to learn a new language, but it doesn’t look like it’s going anywhere. Under the hood: specific fixes This week, a diverse set of developers have contributed fixes to the kernel that improve kernel stability, Bluetooth connectivity, file sharing over SMB, and virtualization performance. Some specific changes this week include: Fixes for CPU burning, firmware stats, and use-after-free (UAF) issues with the ath11k and ath12k Wi-Fi drivers. Various fixes for UAF, NULL pointer differences and advertising issues in Bluetooth drivers. Improvements to Server Message Block (SMB) related to directory cache reuse and a fix for performance regression with deferred closes. In KVM (Kernel-based Virtual Machine), there are fixes for SEV-SNP support, memory pre-faulting, and ARM64 selftests. The SMB fixes are notable because it's an important protocol in networked Windows environments. It helps with file sharing, printer sharing, and Active Directory integration. By improving Linux’s support for this protocol, readers using SMB in Linux to talk to Windows machines will have a smoother experience. Ongoing development Linux 6.16 is due to get seven or eight release candidates over the cycle so there are now five or six weeks until the stable version arrives. Even when it is out, most people’s first use of this kernel will be when distributions decide to ship it, as they can be tricky to install manually. Stay tuned each week as we bring you all the new changes which each new release candidate.
    • Just checked my B650 Motherboard again, nothing there as yet, Guess 800 series getting it first, which i can understand as that's newer series, and chipset. I'll check again in a few days or a week depending on how busy i am
  • Recent Achievements

    • Explorer
      Legend20 went up a rank
      Explorer
    • One Month Later
      jezzzy earned a badge
      One Month Later
    • First Post
      CSpera earned a badge
      First Post
    • One Month Later
      MIR JOHNNY BLAZE earned a badge
      One Month Later
    • Apprentice
      Wireless wookie went up a rank
      Apprentice
  • Popular Contributors

    1. 1
      +primortal
      624
    2. 2
      ATLien_0
      276
    3. 3
      +FloatingFatMan
      178
    4. 4
      Michael Scrip
      152
    5. 5
      Steven P.
      115
  • Tell a friend

    Love Neowin? Tell a friend!