From 2e6f616e91f6a94b6443b0c6f00f8543d2a2796f Mon Sep 17 00:00:00 2001
From: Oliver Sand <oliver.sand@nordeck.net>
Date: Fri, 21 Jan 2022 00:52:06 +0100
Subject: [PATCH] Allow downloads from widgets (#7502)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Notes: Allow downloads from widgets.

We are working on a widget that allows the user to download a file (a ICS calendar entry). Right now the sandbox of the widget iframe doesn't allow downloading. Instead, the following error is displayed in the console (for Google Chrome):

```
Download is disallowed. The frame initiating or instantiating the download is sandboxed, but the flag ‘allow-downloads’ is not set. See https://www.chromestatus.com/feature/5706745674465280 for more details.
```

Therefore this PR adds `allow-downloads` to the sandbox capabilities.

Steps to reproduce:
1. Create a simple widget with an `index.html` file like, e.g.
   ```
     <a href="index.html" download>Download</a>
   ```
2. Host the widget somewhere, add it to the room and open the widget
3. Click on the download button
  * Without the fix: Nothing happens, there is a warning in the console (see above)
  * With the fix: The file is downloaded

Signed-off-by: Oliver Sand <oliver.sand@nordeck.net>
---
 src/components/views/elements/AppTile.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/views/elements/AppTile.tsx b/src/components/views/elements/AppTile.tsx
index 8a17cbe812..6cf55d1eff 100644
--- a/src/components/views/elements/AppTile.tsx
+++ b/src/components/views/elements/AppTile.tsx
@@ -454,7 +454,7 @@ export default class AppTile extends React.Component<IProps, IState> {
         // hosted on the same origin as the client will get the same access as if you clicked
         // a link to it.
         const sandboxFlags = "allow-forms allow-popups allow-popups-to-escape-sandbox " +
-            "allow-same-origin allow-scripts allow-presentation";
+            "allow-same-origin allow-scripts allow-presentation allow-downloads";
 
         // Additional iframe feature pemissions
         // (see - https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes and https://wicg.github.io/feature-policy/)