Problem statement
Summary
File downloads are impossible from a Rayfin app running inside the Fabric Portal, because the Fabric data app workload renders the app in a sandboxed iframe without the allow-downloads attribute. It would be great if Rayfin enabled Fabric's sandbox relaxation mechanism for data apps, so that apps generating files (documents, exports, reports) can offer downloads directly.
Current behavior
- The app is deployed with
rayfin up and runs inside the Fabric Portal in an iframe sandboxed with allow-same-origin allow-scripts only.
- Any download attempt from inside the iframe —
<a download>, file-saver's saveAs(), window.open() with a blob URL — is silently blocked by the browser. This is intended browser behavior for sandboxed iframes without allow-downloads (see Chrome Platform Status and the WHATWG discussion), so there is no client-side workaround.
- As a workaround, we currently show a notice asking the user to copy the app URL and reopen it in a regular browser tab, where downloads work. This is a poor experience for an app whose core output is a downloadable file.
Expected behavior
Downloads initiated by user action inside the app should work while the app is embedded in the Fabric Portal.
Environment
- Rayfin guide/docs version: 1.33.2
- Deployment target: Fabric data app (managed workload,
rayfin up)
- Browsers tested: Chromium-based (behavior is per HTML spec, so all modern browsers are affected)
Use case
Our app converts user-uploaded .docx files and produces new documents. The download of the generated file is the app's primary output, so the current limitation forces every user through the "copy link → open in a new tab" detour on every use.
Proposed solution
Proposed solution
Fabric already has an official mechanism for this: workloads built with the Extensibility Toolkit can set <EnableSandboxRelaxation>true</EnableSandboxRelaxation> in the workload manifest. After an additional user consent, the iframe is granted allow-downloads, allow-forms, and allow-popups — see How-To: Relax the iFrame.
Since the Fabric data app workload manifest is managed by Rayfin, app developers cannot opt into this themselves. Could Rayfin:
- Enable sandbox relaxation on the Fabric data app workload (with the standard consent flow), or
- Expose it as an opt-in setting (e.g., in
rayfin.yml) for apps that need downloads?
Alternatives considered
No response
Additional context
No response
Problem statement
Summary
File downloads are impossible from a Rayfin app running inside the Fabric Portal, because the Fabric data app workload renders the app in a sandboxed iframe without the
allow-downloadsattribute. It would be great if Rayfin enabled Fabric's sandbox relaxation mechanism for data apps, so that apps generating files (documents, exports, reports) can offer downloads directly.Current behavior
rayfin upand runs inside the Fabric Portal in an iframe sandboxed withallow-same-origin allow-scriptsonly.<a download>,file-saver'ssaveAs(),window.open()with a blob URL — is silently blocked by the browser. This is intended browser behavior for sandboxed iframes withoutallow-downloads(see Chrome Platform Status and the WHATWG discussion), so there is no client-side workaround.Expected behavior
Downloads initiated by user action inside the app should work while the app is embedded in the Fabric Portal.
Environment
rayfin up)Use case
Our app converts user-uploaded
.docxfiles and produces new documents. The download of the generated file is the app's primary output, so the current limitation forces every user through the "copy link → open in a new tab" detour on every use.Proposed solution
Proposed solution
Fabric already has an official mechanism for this: workloads built with the Extensibility Toolkit can set
<EnableSandboxRelaxation>true</EnableSandboxRelaxation>in the workload manifest. After an additional user consent, the iframe is grantedallow-downloads,allow-forms, andallow-popups— see How-To: Relax the iFrame.Since the Fabric data app workload manifest is managed by Rayfin, app developers cannot opt into this themselves. Could Rayfin:
rayfin.yml) for apps that need downloads?Alternatives considered
No response
Additional context
No response