The change in #109941 (commit) seems to have broken private file downloads over SSL in Internet Explorer 6 and 7.
On the site I'm working with, we have many nodes with PDF attachments. When the line reads:
header("Cache-Control: store, no-cache, must-revalidate");
any attempt to download the files results in an IE 6/7 error stating,
Internet Explorer cannot download [filename] from [hostname]
The file could not be written to the cache
When I revert that line to read:
header("Cache-Control: no-store, no-cache, must-revalidate");
everything is peachy again.
Does anyone have ideas on a way to provide the functionality present in #109941, while not seriously breaking file download functionality?
Comment | File | Size | Author |
---|---|---|---|
#15 | ssl-ie567-file-download-problem_d7-patch.diff | 641 bytes | spiffl |
Comments
Comment #1
js1 CreditAttribution: js1 commentedWe're experiencing this exact problem as well. Changing to "no-store" seems to fix the problem.
Comment #2
ChrisOwens CreditAttribution: ChrisOwens commentedThis is a known bug in IE6/IE7. See http://support.microsoft.com/kb/316431
Unfortunately, it is a design bug; Microsoft says the behavior is by design.
I'm not sure I understand the underlying issue well enough to comment, but what happens if you go to bootstrap.inc and change the existing
to
}
Comment #3
drummI am guessing there are other factors at work since we do send no-cache and must-revalidate in either case.
The ideal solution would be to send non-ie-bug-triggering headers for file downloads, and keep the present headers for everything else.
Comment #4
jrbeemanAgreed - I believe this would address the issue. I will try to work on a patch for 6.x, but I'm not familiar with this area of Drupal at all, so if anyone has pointers, I'd appreciate them.
Comment #5
bigdave CreditAttribution: bigdave commentedHi,
I'm new here,
This problem is occurring for me on a new 5.7 install. (I upgraded from 4 over the weekend).
Should the Version be changed to 5.7. Is it proper for me to do this? or should someone else.
Thanks.
Comment #6
jrbeemanComment #7
lias CreditAttribution: lias commentedI'm wondering if this also affects cacheing of images located above root in drupal's private file system. My site will not cache images above root although it does cache files that are within the drupal root.
See my other post: http://drupal.org/node/272082
Comment #8
bigdave CreditAttribution: bigdave commentedComment #9
bigdave CreditAttribution: bigdave commentedComment #10
highermath CreditAttribution: highermath commentedI just used:
header("Cache-Control: store, must-revalidate");
Seems to work.
Comment #11
bmherold CreditAttribution: bmherold commentedIt seems that commenting out the entire line
everything works just swimmingly.
Comment #12
lias CreditAttribution: lias commentedWould commenting out that line cause problems elsewhere? bmherold, let us know if you notice any wonkiness. Thanks.
Comment #13
theotter CreditAttribution: theotter commentedI stumbled on this with the same problem - trying to use private downloads over SSL. Here's how I've solved it (apparently - still early). I created a module I called sslfiles.module:
So, basically instead of returning headers, I'm using php's header() function to blow away Drupal's regular Cache-Control headers. But since this is in hook_file_download, this only happens for file downloads.
Are there any problems with this approach that I'm missing? I can definitely verify that it works. Enable the module and the problem goes away. Disable it, and it's back.
Comment #14
jdtart CreditAttribution: jdtart commentedI am very interested in this "sslfiles.module". I hate making changes to anything in core at all, so a modular solution is best for me. What was your experience with this sslfiles experiment? How exactly did you implement it?
Comment #15
spiffl CreditAttribution: spiffl commentedHere's a patch for D7 against HEAD that solves the issue properly.
My considerations:
- drupal_page_head() changes made in #109941 from no-store to store does break SSL-based downloads.
- drupal_page_head() should not assume that everything is uncachable if a user is logged in. static files are, for example.
- drupal_page_head() should be moved to a position later in the code, but this point does not exist, as then we're already deep inside menu_execute_active_handler() and the menu.
- modules should NOT have to fix something that is wrong for all file downloads.
- modules must be able to overrule the settings taken.
- file_download's should be cacheable (--> cache)
Thus implementation goes inside file.inc:function file_transfer() before the header-settings code-block, giving the modules through hook_file_download a chance to correct the "Cache-Control" header.
Comment #16
webengr CreditAttribution: webengr commentedTHIS is the same issue for D5, D6, that is in a different thread dealing with the upload.module,
may want to see also:
http://drupal.org/node/163445#comment-1654466
Basically Microsoft says you should not cache SSL downloads, thus we need to send Cache-Control: no-store
when ssl according to:
http://support.microsoft.com/kb/815313
Comment #17
webengr CreditAttribution: webengr commentedComment #18
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis looks like a duplicate of #163445: Internet Explorer cannot download private files. Please refer to the other issue.