Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File Block: Remove the download attribute #10693

Closed
wants to merge 1 commit into from
Closed

File Block: Remove the download attribute #10693

wants to merge 1 commit into from

Conversation

Copons
Copy link
Contributor

@Copons Copons commented Oct 17, 2018

Description

Remove the download attribute from the File block's "Download" button.

The addition of the download attribute for a tags to the wp_kses whitelist has been recently blocked (cc @pento):

The download attribute doesn't work on cross-origin links (eg, any site that uses a CDN for hosting uploads). I don't know that we necessarily need to account for this, but it is something to consider.

It's also a risk to allow the download filename to be set: for example, an author could upload my_definitely_not_suspicious_file.txt, but then set the download attribute to be CLICK_ME.bat, which isn't great. If we do allow the download attribute, it should only be allowed with no value.

It makes sense to me to just remove the attribute altogether from the File block, and leave to the user the decision of saving the file instead of navigating to it.

How has this been tested?

Manually on a local environment, checking for regressions.

Checklist:

  • My code is tested.
  • My code follows the WordPress code style.
  • My code follows the accessibility standards.
  • My code has proper inline documentation.

@Copons Copons added [Type] Enhancement A suggestion for improvement. [Feature] Blocks Overall functionality of blocks labels Oct 17, 2018
@Copons Copons self-assigned this Oct 17, 2018
@youknowriad youknowriad requested a review from a team October 18, 2018 11:41
talldan
talldan reviewed Oct 18, 2018
View reviewed changes
Copy link
Contributor

@talldan talldan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @Copons!

I noticed when testing this, the 'button' still says download, which is misleading for the user:
screen shot 2018-10-18 at 7 57 40 pm

I think we should consider removing this button entirely or alternatively changing the default text (could be changed to something like 'open').

The other part that's misleading is the toggle option in the sidebar:
screen shot 2018-10-18 at 7 59 59 pm

This could be removed or perhaps changed to just 'Show button'.

packages/block-library/src/file/index.js
// ensure download attribute is still set when fileName
// is undefined. Using '' here as `true` still leaves
// the attribute unset.
download={ getTextContent( create( { html: fileName } ) ) }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the download attribute makes the button style link somewhat redundant in the File block. It ends up doing the same thing as the other link.

I wonder if we'd consider removing it - that would probably need a designer's input

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to remove the download attribute, we just need to set it with no value.

packages/block-library/src/file/index.js
},
// Differs to the href when the block is configured to link to the attachment page
textLinkHref: {
type: 'string',
source: 'attribute',
selector: 'a:not([download])',
selector: '.wp-block-file__link',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we did remove the download button, this selector could be changed back to a

@talldan talldan added the Needs Design Feedback Needs general design feedback. label Oct 18, 2018
@Copons
Copy link
Contributor Author

Copons commented Oct 18, 2018

Thanks for the review @talldan, you made some very interesting points.

Removing the download attribute makes the button style link somewhat redundant in the File block. It ends up doing the same thing as the other link.

I'd argue that the button would still have a value as a CTA.

Off the top of my head, I can think of a couple of way to keep the button still useful, even without a behaviour of its own:

  • When the block is set to show the button, the filename is not a link.
    E.g. filename.txt <a href="filename.txt">Download</a>

  • The button is part of the link, so that when hovered they change style together.
    E.g. <a href="filename.txt">filename.txt <span>Download</span></a>

changing the default text [...] to something like 'open'

the toggle option in the sidebar [...] could be [...] changed to just 'Show button'.

Both these points make much sense to me, but of course let's wait for a design look. 🙂

@Copons Copons mentioned this pull request Oct 19, 2018
Closed
@vindl vindl requested a review from jasmussen October 19, 2018 17:03
@pento
Copy link
Member

pento commented Oct 20, 2018

We don't need to remove the download attribute entirely. If we just restrict it to being set (but not given a value), which removes the security issues.

For sites that use a CDN for hosting uploads, you could use a file passthrough handler to add the Content-Disposition: attachment header, forcing the file to be a download. In WordPress Multisite, that already exists in the form of ms-files.php. For prehistoric multisites, such as WordPress.com, there's also wp-content/blogs.php, which is a file you should definitely look at. ;)

pento
pento requested changes Oct 20, 2018
View reviewed changes
packages/block-library/src/file/index.js
// ensure download attribute is still set when fileName
// is undefined. Using '' here as `true` still leaves
// the attribute unset.
download={ getTextContent( create( { html: fileName } ) ) }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to remove the download attribute, we just need to set it with no value.

@pento pento mentioned this pull request Oct 21, 2018
Closed
4 tasks
@Copons Copons mentioned this pull request Oct 23, 2018
Merged
4 tasks
@Copons
Copy link
Contributor Author

Copons commented Oct 23, 2018

Replaced by #10948

@Copons Copons closed this Oct 23, 2018
@youknowriad youknowriad deleted the remove/download-attr-file-block branch October 23, 2018 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@talldan talldan talldan left review comments

@pento pento pento requested changes

@ellatrix ellatrix Awaiting requested review from ellatrix

@youknowriad youknowriad Awaiting requested review from youknowriad

@gziolo gziolo Awaiting requested review from gziolo

@jasmussen jasmussen Awaiting requested review from jasmussen

Assignees

@Copons Copons

Labels
[Feature] Blocks Overall functionality of blocks Needs Design Feedback Needs general design feedback. [Type] Enhancement A suggestion for improvement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Copons @pento @talldan