由于使用 HTTP 而不是 HTTPS,Chrome 阻止使用 FileResponse 下载 FastAPI 文件
我有一个基本的 FastAPI 网站,带有用于下载 Excel 模板的端点。该 URL 的方案是 HTTPS。直到最近,这在 Chrome 和 Safari 上都运行良好。随着人们的升级,Chrome 一直在阻止下载。这似乎与此处描述的针对“混合内容下载”实施的 Google 不安全内容政策一致:
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
我的端点非常简单:
@router.get('/download_data_template')
def download_data_template(request: Request):
'''Returns data template from library
'''
# ### auth
# page access is authorized here
# end auth
file_name = 'TEMPLATE schedule_input.xlsx'
return FileResponse(
path=db.get_library_path(file_name),
filename=file_name,
media_type='application/octet-stream',
)
端点是从Jinja2 模板化 html 页面如下:
<a class="btn btn-primary" href="{{ url_for('upload_schedule')}}" data-toggle="tooltip" data-delay='{"show":750, "hide":250}' data-placement="top" data-toggle="tooltip" data-delay='{"show":750, "hide":250}' data-placement="top" title="click to select and upload file. The file must be in property format.">upload schedule input workbook</a>
在 Chrome 上,开发人员面板显示以下错误:
"Mixed Content: The site at 'https://<my_url>.com/' was loaded over a secure connection, but the file at 'https://<my_url>.com/download_data_template' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details."
该文件没有什么独特之处,它是一个基本的 Excel .xlsx 文件,是供人们填写的模板。
这在 Safari 和 Edge 中继续正常工作,但被 Chrome 阻止。
chromium 博客中的文章内容丰富,但我不知道如何确保我的下载安全。我也搜索过但没有成功。
关于如何使用 FastAPI 从光盘下载基本文件(特别是 .xlsx 文件),并且符合 Google 的新政策,有什么想法吗?
感谢您对此提供的任何帮助。
I have a basic FastAPI website with an endpoint to download an Excel template. The url's scheme is HTTPS. Until recently, this worked fine on Chrome and Safari. As people upgraded, Chrome has been blocking the download. This seems to be consistent with Google's insecure content policy implemented for 'mixed content downloads' described here:
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
My endpoint is pretty straightforward:
@router.get('/download_data_template')
def download_data_template(request: Request):
'''Returns data template from library
'''
# ### auth
# page access is authorized here
# end auth
file_name = 'TEMPLATE schedule_input.xlsx'
return FileResponse(
path=db.get_library_path(file_name),
filename=file_name,
media_type='application/octet-stream',
)
The endpoint is called from a Jinja2 templated html page with this:
<a class="btn btn-primary" href="{{ url_for('upload_schedule')}}" data-toggle="tooltip" data-delay='{"show":750, "hide":250}' data-placement="top" data-toggle="tooltip" data-delay='{"show":750, "hide":250}' data-placement="top" title="click to select and upload file. The file must be in property format.">upload schedule input workbook</a>
On Chrome, the developer panel shows the following error:
"Mixed Content: The site at 'https://<my_url>.com/' was loaded over a secure connection, but the file at 'https://<my_url>.com/download_data_template' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details."
The file is nothing unique, it is a basic Excel .xlsx file, a template for people to fill out.
This continues to work fine in Safari and Edge but is blocked by Chrome.
The article in the chromium blog is informative but I do not see how I can make my download secure. I have searched with no success as well.
Any thoughts on how I can make a basic file download, specifically an .xlsx file, from disc using FastAPI that will conform with Google's new policy?
Thank you for any help on this.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
选项 1
您可以使用
HTTPSRedirectMiddleware强制所有传入对http的请求被重定向到安全方案。选项 2
除了上述之外,您还可以在 Jinja2 模板中使用相对 URL,而不是使用
url_for();例如:这样,URL的scheme将保持
https。选项 3
您可以使用自己的
url_for自定义函数来替换 URL 的方案,类似于 这个答案。如果您使用代理服务器(例如 Nginx),您也可以尝试传递
- Uvicorn 的 -proxy-headers参数,如所述 此处和此处。Option 1
You could use
HTTPSRedirectMiddlewareto enforce all incoming requests tohttpbeing redirected to the secure scheme instead.Option 2
In addition to the above, you could use relative URLs instead of using
url_for()in your Jinja2 template; for instance:In this way, the scheme of the URL will remain
https.Option 3
You could have your own
url_forcustom function to replace the scheme of the URL, similar to the approach demonstrated in Option 2 of this answer.If you are behind a proxy server, such as Nginx, you may also try passing
--proxy-headersparameter to Uvicorn, as described here and here.我正在通过 FastAPI 后端开发 React App,并且遇到了类似的问题。我不确定
{{ url_for('upload_schedule')}}在您的渲染引擎中评估什么,但就我而言,问题在于不准确的 URL 及其由 FastAPI 的处理。参考您的示例,我放入了 UI 代码
/download_data_template/,因此 FastAPI 引擎发送了307,因为它重定向到/download_data_template。在 UI 代码中用/download_data_template/替换/download_data_template/解决了这个问题。这可能是 Chrome 的问题而不是 FastAPI 的问题,但这是一个可以立即修复该问题的简单解决方法。
I am developing React App over FastAPI backend and had similar issue. I am not sure what
{{ url_for('upload_schedule')}}evaluates for in your rendering engine, however in my case the problem was in inaccurate URL and its handling by FastAPI.Referring to your example, I placed in my UI code
/download_data_template/, so FastAPI engine sent307, because it redirected to/download_data_template. Replacing/download_data_template/with/download_data_templatein UI code solved that for me.This is probably rather problem of Chrome than FastAPI, but this is a simple workaround that fixes that instantly.