Downloads inside HTML5 apps do not work

[jredrejo]

Observed behavior

Some HTML5 apps include content that can be donwloaded, as documentation, images, etc.
Current iframe sandbox in Kolibri blocks them.

Errors and logs

Just clicking on a download link does not produce any effect

There is an allow-downloads attribute for iframe that might be enabled globally in Kolibri to allow this.

Expected behavior

Clicking in a link to download a resource should work inside HTML5 apps

As this introduces security issues in some cases ( it would allow HTML5 apps to initiate downloads programmatically as well as through user interaction), the ideal solution would be adding an option to the HTML5AppNode to use it (being false by default)

User-facing consequences

Users can not use all the contents the app includes

Steps to reproduce

For example, courses or tutorial including documentation for further reading

don't allow this documentation to be downloaded, even if the document is included in the HTML5AppNode

Context

kolibri 0.16.0

[poju3185]

Hi @jredrejo, could you give me an example of such html5 app?

[jredrejo]

Hi @jredrejo, could you give me an example of such html5 app?

Yes, @poju3185 here's one: https://articulateusercontent.com/review/uploads/cPj4SORrydR49zuKNHfjfUrAe2RyfIyd/DxkvFL4f/index.html#/lessons/HCQgFWFRBDiv8VRaUq_uEDqzaF-57tXg

Anyway, it's important to understand the broader implications of enabling downloads through iframes. This goes beyond a simple code change.

Implementing this change would require:

• Modifying https://github.com/learningequality/studio to handle apps with and without downloadable content.
• Similar changes to https://github.com/learningequality/ricecooker to allow channel creation with the download property enabled or disabled.
• Ensuring Kolibri can manage this functionality only for apps that explicitly allow downloads. As noted in https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow-downloads, the "allow-downloads" attribute is global but has security limitations.

Finally, the most crucial aspect is mitigating the risk of malicious content. How can we ensure uploaded content doesn't cause harm, and how much can we trust imported content? Cryptography might be a solution, but allowing anyone to upload apps with download capabilities opens up security vulnerabilities.

As you can see, this is a complex feature with significant technical and architectural considerations. Its feasibility needs careful evaluation.

[poju3185]

Thank you for the detailed explanation! Given the complexity and the careful evaluation needed to ensure both functionality and security, I think I'll sit this one out and observe for now. I look forward to seeing how this develops and learning from the process.
P.S. I am able to download the attachment file in the provided link. Is this the expected behavior?

[jredrejo]

P.S. I am able to download the attachment file in the provided link. Is this the expected behavior?

yes, but if this html app is added in a channel for kolibri you can't , that's what this issue tries to change

[poju3185]

I see. Thank you.

[Wck-iipi]

@jredrejo I see that this issue has the tag TODO:needs decision. But you have specified in great detail on what to do. If this issue is up for grabs, I would like to solve this issue.

[rtibbles]

There's still a strong concern here about the potential for malicious behaviour. Loosening the sandbox, even selectively, would allow programmatically initiated downloads as well as user initiated ones.

I am not sure that allowing any loosening of the sandbox is actually desirable, but rather allowing non-renderable files to be included as separate file attachments, which the user can then choose to download via the user interface.

Either way, this issue is not ready for contribution, hence the needs decisions label.