Getting "Download is Disallowed" in iframe. #2421

New Issue

Closed

opened 2026-02-05 04:05:32 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 04:05:32 +03:00

Owner

Copy Link

Originally created by @joe-eklund on GitHub (Oct 9, 2021).

Describe the bug
I have attached a file to a particular page. When I attempt to download the file while using Bookstack in an iframe I get this error in my console and the file does not download:

Download is disallowed. The frame initiating or instantiating the download is sandboxed, but the flag ‘allow-downloads’ is not set. See https://www.chromestatus.com/feature/5706745674465280 for more details.

Steps To Reproduce

1. Browse to Bookstack in an iframe.
2. Upload a file to a page.
3. Attempt to download the file. It will not work and you will get the above error.
4. Attempt to download the file again while browsing not in an iframe. It works just fine.

Expected behavior
I should be able to download files while browsing Bookstack in an iframe.

Your Configuration (please complete the following information):

• Exact BookStack Version (Found in settings): BookStack v21.05.4.
• PHP Version:
• Hosting Method (Nginx/Apache/Docker): Docker on Ubuntu.

Additional context
I'm not quite sure if this is a bug or some other configuration change I need to make. I have also already set the - ALLOWED_IFRAME_HOSTS="my_domain" environment variable in my docker compose. Testing the downloading in Chrome on Windows.

Any help on this would be greatly appreciated. Thanks!

Originally created by @joe-eklund on GitHub (Oct 9, 2021). **Describe the bug** I have attached a file to a particular page. When I attempt to download the file while using Bookstack in an iframe I get this error in my console and the file does not download: ``` Download is disallowed. The frame initiating or instantiating the download is sandboxed, but the flag ‘allow-downloads’ is not set. See https://www.chromestatus.com/feature/5706745674465280 for more details. ``` **Steps To Reproduce** 1. Browse to Bookstack in an iframe. 2. Upload a file to a page. 3. Attempt to download the file. It will not work and you will get the above error. 4. Attempt to download the file again while browsing _not_ in an iframe. It works just fine. **Expected behavior** I should be able to download files while browsing Bookstack in an iframe. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): BookStack v21.05.4. - PHP Version: - Hosting Method (Nginx/Apache/Docker): Docker on Ubuntu. **Additional context** I'm not quite sure if this is a bug or some other configuration change I need to make. I have also already set the `- ALLOWED_IFRAME_HOSTS="my_domain"` environment variable in my docker compose. Testing the downloading in Chrome on Windows. Any help on this would be greatly appreciated. Thanks!

OVERLORD closed this issue 2026-02-05 04:05:33 +03:00

OVERLORD commented 2026-02-05 04:05:38 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Oct 9, 2021):

Hi @joe-eklund,
Getting downloads to work here requires a change in the way the iframe is defined on the site that's embedding BookStack. The sandbox attribute of the iframe needs to be updated with allow-downloads. I don't think this is something that can be solved from the BookStack side of things.

@ssddanbrown commented on GitHub (Oct 9, 2021): Hi @joe-eklund, Getting downloads to work here requires a change in the way the iframe is defined on the site that's embedding BookStack. The sandbox attribute of the iframe needs to be updated with `allow-downloads`. I don't think this is something that can be solved from the BookStack side of things.

OVERLORD commented 2026-02-05 04:05:42 +03:00

Author

Owner

Copy Link

@joe-eklund commented on GitHub (Oct 11, 2021):

Hmm ok. I am iFraming it inside Organizr with both being Traefik 1.7 as a reverse proxy. I am planning on upgrading to Traefik 2 soon.

I attempted to set the contentSecurityPolicy with sandbox allow-downloads for Bookstack using Traefik labels but that didn't seem to affect it. I will continue to investigate how this is possible, but if anyone has this working I would very much like to know.

@joe-eklund commented on GitHub (Oct 11, 2021): Hmm ok. I am iFraming it inside Organizr with both being Traefik 1.7 as a reverse proxy. I am planning on upgrading to Traefik 2 soon. I attempted to set the `contentSecurityPolicy` with `sandbox allow-downloads` for Bookstack using Traefik labels but that didn't seem to affect it. I will continue to investigate how this is possible, but if anyone has this working I would very much like to know.

OVERLORD commented 2026-02-05 04:05:46 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Oct 11, 2021):

@joe-eklund The allow-downloads flag will need to be set on the iframe element itself. This is not something to be done at proxy level but is likely Organizr in this case.

I am not familiar with Organizr in any way but I presume this is how it builds the iframe:

8f00d1322c/js/functions.js (L2844)

It looks like the sandbox properties are dynamic. When configuring your BookStack setup in Orgranizr, does it provide any kind of "Sandbox" or "Iframe" options within the UI?

@ssddanbrown commented on GitHub (Oct 11, 2021): @joe-eklund The `allow-downloads` flag will need to be set on the iframe element itself. This is not something to be done at proxy level but is likely Organizr in this case. I am not familiar with Organizr in any way but I presume this is how it builds the iframe: https://github.com/causefx/Organizr/blob/8f00d1322c2c9ee88c80c36254071317ccad0267/js/functions.js#L2844 It looks like the sandbox properties are dynamic. When configuring your BookStack setup in Orgranizr, does it provide any kind of "Sandbox" or "Iframe" options within the UI?

OVERLORD commented 2026-02-05 04:05:48 +03:00

Author

Owner

Copy Link

@joe-eklund commented on GitHub (Oct 12, 2021):

@ssddanbrown Thank you so much for your help. You are correct! I added it through the organizr UI to the sandbox section and it worked!

For anyone else that wants to do this go to Organizr Settings > Main > Security > Sandbox and add Allow Downloads to the list. You can now download files from iFrames. :)

@joe-eklund commented on GitHub (Oct 12, 2021): @ssddanbrown Thank you so much for your help. You are correct! I added it through the organizr UI to the sandbox section and it worked! For anyone else that wants to do this go to Organizr Settings > Main > Security > Sandbox and add `Allow Downloads` to the list. You can now download files from iFrames. :)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2421