Monday, June 05, 2006

Save this to disk, bitch!

Microsoft's Internet Explorer has a nice security "feature" that prevents you from saving certain files to your hard drive if the web site is using the https protocol. This is most noticable with Microsoft Office documents. This is true whether the file is saved on the web server or if it is generated and served as a byte stream.

With Internet Explorer 6 Service Pack 1, the default setting changed to "Do not save encrypted pages to disk". This was done in an effort to prevent certain files from residing in the Temporary Internet Files folder once the user has logged off. The affect of this is that NO ONE can save certain file types at all (most notably XLS, and DOC files).

If you have access to an SSL protected public web server, all you need to do is save an Excel spreadsheet on the server to see this in action. Upload the file and try to access it over the https protocol (make sure that XLS files are set to "Confirm open after download" under Control Panel | Folder Options | XLS | Advanced | Open). You should get a popup that looks like the following:

Notice that the filename changed from test.xls to test_xls. That is the first sign that something has gone wrong. If you try to save or open the file, you get another error:

This is easy to resolve if you are the user. Just make 5 clicks and you can undo Microsoft's "security enhancement". The big problem is when you are the one running a web site and your Customer Service team gets thousands of complaints from non-skilled internet users.

One super easy way to get around this issue is to use an IFRAME. If you have a blank page that just contains an IFRAME with the width and height set to 100%, you will get the appropriate prompt to save the file.

<body topmargin="0" leftmargin="0">
<iframe src="test.xls" width="100%" height="100%" />

This seems to work well and FireFox supports IFRAMEs, so it is cross-browser compliant. Yes, this is a complete hack, but don't blame me, blame Microsoft. If you want to get sophisticated, you can check the USER-AGENT value and only implement this solution for IE 6.

I finally figured this out after almost an entire fun-filled day of trial and error.


Post a Comment

<< Home