IE throws “File Download Security Warning” on form submit

27 05 2009

I came across with this weird IE bug(occurs in IE-6 and IE-7 not in IE-8) that throws a File Download Security Warning on form post.

File download security warning

File download security warning

This is the code for the corresponding action inside controller

def update
 respond_to do |format|
  format.js   {....}
  format.html {....}
 end
end

* I guess this bug will only propagate if respond_to is used

I put a debugger after the respond_to line and made a http post request through IE6 and IE7 browsers and hooked into the request parameters.

request.format => #<Mime::Type:0x7b567a4 @string="image/jpeg", @synonyms=[], @symbol=nil >
request.format.html? => nil

Making the same the request through Firefox returned this

request.format => #<Mime::Type:0x55da8b8 @string="text/html", @synonyms=["application/xhtml+xml"], @symbol=:html >
request.format.html? => true
request.format.js? => false

So one thing came into light that there is no Mime::Type registered for “images/jpeg” i.e format sent by IE

Looking at Rails 2.1.0 code actionpack/lib/action_controller/request.rb line no: 92

# Returns the Mime type for the format used in the request. If there is no format available, the first of the 
# accept types will be used. 
def format
  @format ||= parameters[:format] ? Mime::Type.lookup_by_extension(parameters[:format]) : accepts.first
end

And that brought me to the solution.If no request format is available, which is the case with IE, then the first format will be picked up.So moving format.html above the format.js will solve the problem(or i should say format.html should be the first format defined)

def update
 respond_to do |format|
  format.html {....}
  format.js   {....}
 end
end

Or we can also use format.any to our rescue(instead of moving format.html)

def update
 respond_to do |format|
  format.js   {....}
  format.any  {....}
 end
end