29

A recent update to Chrome has begun blocking XLSX downloads coming from our website.

I have read Chrome's documentation and guidelines about how they determine if something is potentially harmful but it makes no mention of how to resolve issues outside of reaching out to them. Our files and our site meet all the guidelines they lay out. Most of their documentation is based around executable downloads so it's not clear how this information effects simple file downloads.

The site and the file are served from the same host using HTTPS. The download is driven by an anchor tag that links to an API which serves the file.

Other similar APIs that serve generated CSV files or PDF files of the same data are not effected.

I have also modified our file generation to output XLS files instead of XLSX, but those are blocked too.

Below are the headers of the response, as far as I know everything in regards to disposition or content type are correct so I don't see chrome using those to block the file.

Cache-Control: must-revalidate, private
Connection: keep-alive
Content-disposition: attachment; filename="test-file.xlsx"
Content-Type: application/xlsx
Date: Fri, 17 Jul 2020 16:04:41 GMT
Expires: -1
Server: nginx
transfer-encoding: chunked
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN

I have also verified that the files are in fact not dangerous, they contain simple excel data and nothing strange is being injected or is compromised.

We have also tested various download methods, direct anchor links, form posts, blobs etc. It is always blocked.

Is there a specific request/response header or download method or flag I'm missing that will stop chrome from blocking the files?

Updates

  • I have confirmed that this issue effected a 83.x version of chrome as well as the latest version Version 84.0.4147.89

  • Thanks to @Alex, we have confirmed this issue is not present on the Linux or Windows version of Chrome. OSX Only.

  • The issue disappeared for 20-30 minutes earlier today and then returned.

  • Users report the issue is present all the way back to Chrome 80+.

Jordon Biondo
  • 3,974
  • 1
  • 27
  • 37
  • speculation/workaround out of the blue: how about a CSV header instead? `Content-Type: text/csv` ... if the user has Excel installed, that's likely gonna open it, otherwise whatever would do ... – Andrea Giammarchi Jul 17 '20 at 16:16
  • @AndreaGiammarchi thanks for the suggestion, spoofing the content type to CSV does not work though. – Jordon Biondo Jul 17 '20 at 16:19
  • out of curiosity, is `filename="test-file.csv"` also failing? – Andrea Giammarchi Jul 17 '20 at 16:26
  • 3
    We have the same problem. Downloading xlsx from our site is blocked in Chrome as of few hours ago. Got a wave of calls from customers. – twinmind Jul 17 '20 at 16:33
  • 2
    Yeah @twinmind, I have a feeling that support teams across the world are about to get seriously dumped on. It's so frustrating that they provide no information about why it's blocked or how to resolve it! – Jordon Biondo Jul 17 '20 at 16:34
  • 3
    We got the same issue. You can workaround this by going in the download page of Chrome and press on Keep dangerous file. It happened suddenly, without any updates to our website or Chrome – vIceBerg Jul 17 '20 at 16:35
  • 2
    Yes @vIceBerg, there is also a chrome setting that can be disabled to prevent this, but telling our users to turn off security features in their browser is an absolute last resort, it would certainly undermine confidence in the application, but I suppose so does this warning on download. – Jordon Biondo Jul 17 '20 at 16:36
  • 2
    It's seems to be back now, xlsx and zip files download works again, they must have done some silent update. – twinmind Jul 17 '20 at 16:40
  • I've been experiencing this with .rdp file downloads as well from a RDP Web App server. If I click the download in rapid succession, some fail, some succeed. Our Google Security Issues Report is empty, so this definitely feels like Google made an oopsie. – Kevin Prow Jul 17 '20 at 18:03
  • I was able to reproduce the issue using Chromium 92.0.4515.107 with XLSX files linked using HTTP when the page is served using HTTPS. Changing the affected links to use https:// in the link URLs fixed the issue. (The issue does not appear to affect PDF or other documents, only XLSX so far.) – Tom Jul 30 '21 at 18:19

3 Answers3

13

Seems to be resolved now, via some silent update.

Brian Boyd
  • 162
  • 1
  • 4
5

We had a similar problem earlier today. Our web-site uses TAR files for exchanging data (upload/download). HTTPS is used for all communication. The files are stored on S3 and the user is redirected to S3 to download the file. This setup has been working fine for the last couple of years.

Suddenly, this morning around 11:20am (Eastern Time) most of the users started to experience download issues -- the downloaded files were blocked by Chrome. This happened in Chrome only and on multiple platforms (Windows and MacOS, we don't have any Linux users). The issue was reported by multiple users, most of the users in fact. Upgrading from v83 to the latest v84 did not help.

Then around 12:50pm (1.5 hours later), the issue was gone. 10-20 minutes later, it appeared again. It seems that the issue is gone again.

I have been running my Chrome (v83) non-stop since yesterday. During the first "wave" I was constantly experiencing this issue than constantly not seeing it at all. Then the "second wave" began, and I started seeing it again, and now it is gone.

korya
  • 2,026
  • 1
  • 15
  • 12
3

For those following this live, the Chromium team is tracking and fixing this: https://bugs.chromium.org/p/chromium/issues/detail?id=1106858

Comment 8 by vakh@chromium.org on Fri, Jul 17, 2020, 2:42 PM EDT We're in the process of rolling out a fix for this issue so if you try now, it's likely you won't see a warning. If you still do, please try again in approximately 30 minutes.

cbrainerd
  • 426
  • 5
  • 7