Customizing the download experience
Downloading files is a very common activity, and in Internet Explorer 10 we made several improvements in the file download experience and integrated the SmartScreen Application reputation check to help users make better trust decisions. This article summarizes many server side customization options available with the Microsoft Download Manager so that developers can provide the best file download experience for users.
Content-disposition header
To force the browser to treat a specific file as a download, send a content-disposition header with the attachment
token. This is useful as some applications installed on the user’s machine can register themselves to handle certain MIME types and bypass Windows Internet Explorer download experience. For example, Microsoft Windows Media Player in some installations can set itself to handle mp3 files. Hence, a file link to an mp3 resource will directly open in Windows Media Player when a user navigates to it in Internet Explorer. The user doesn’t get the option to save the file to disk in the browser.
With the content-disposition header set to attachment
, Internet Explorer download experience offers the user the choice to open or save:
TriggerFileDownload
We added a new function in Windows Internet Explorer 9 that lets browser add-ons trigger the file download experience in Internet Explorer 9. When this API is invoked, the user sees the download notification bar as shown previously
void TriggerFileDownload (string URL)
For more info, see TriggerFileDownload.
The NoOpen
Directive
When a user clicks Open on the download acceptance bar, Internet Explorer downloads the file to the temporary Internet files folder and doesn't keep a record of it in the download manager. If the user clicks Save, the file is saved to the Downloads folder and an entry is created in the download manager history.
To prevent users from opening a file immediately (and potentially losing track of the downloaded file) developers can specify the NoOpen
directive. This way the user won’t accidentally open the file and lose it in the Temporary Internet Files folder.
You can set this directive in one of two ways:
- The X-Download-Options HTTP response header (supported by Windows Internet Explorer 8 and later).
- The download options meta tag
<meta name="DownloadOptions" content="noopen">
(supported by Microsoft Internet Explorer 6 and later).
When this directive is set, Internet Explorer won't offer the Open option in the download acceptance bar:
Resuming downloads
Internet Explorer follows HTTP standards for resuming downloads. Resumption works both on HTTP and HTTPS. In order to ensure that downloads from your website are resumable, refer to section 14.5 of RFC 2626. Here are some general best practices for resuming downloads:
- Send HTTP headers that permit caching.
- Include the
Accept-Ranges
header with the token bytes. - Include a strong ETAG validator on HTTP/1.1 responses.
- Include a Last-Modified header for HTTP/1.0 responses - refer to section 14.29 of RFC 2626. This header is optional for HTTP/1.1 responses.
Signing files
Developers are strongly encouraged to sign their applications using Authenticode. Internet Explorer verifies the publisher of downloaded applications and displays the publisher name in the download manager. This increases confidence that the application comes from a trusted source.
If an application is digitally signed with Authenticode, SmartScreen’s Application Reputation can take the digital certificate’s reputation into account when determining the file’s reputation. This is especially useful for new files that aren't yet commonly downloaded.
If an application isn't signed, and the user has SmartScreen’s Application Reputation disabled (or the check fails for any reason), the download notification will show the following warning:
Bypassing download acceptance prompt
Some sites give users instructions on how to bypass the acceptance prompt for their downloads. A common example is a site that has custom handlers and wants users to directly open their files in their applications.
Previously Internet Explorer 8 showed a check box on the File Download dialog box that users could clear to automatically open files:
The functionality of this check box was moved in Internet Explorer 9 to the context menu in the download manager:
Applications that register themselves to handle certain MIME types via COM (and not shell execute) can set FTA_OpenIsSafe appropriately to bypass the acceptance prompt.
Handing off downloads to applications
With Internet Explorer 10, it's possible for applications to register to download file types that they handle. This feature is called DirectInvoke. Application registration is simple and basically requires applications to declare that they can handle HTTP(s) URLs. To trigger DirectInvoke, servers need to send the X-MS-InvokeApp: 1 HTTP response header, which directs Internet Explorer 10 to hand off the URL to the default application for download. If the application doesn't handle URLs, Internet Explorer 10 downloads the file for the application. For more info, see Invoke applications directly in Internet Explorer 10.
Getting the URL of the downloaded file
With Internet Explorer 10, applications can get the URL of the downloaded file as described next.
- Win32 applications can get the URL of the downloaded file in 2 ways:
- Applications can include %U in their shell command as in HKEY_CLASSES_ROOT\Applications\<application>.exe: <application command path> /n "%1 %U"
- If the application has SupportedProtocols and is set, the URL is part of command line parameter %1
- A Windows Store app can pick up the URL from the createFileFromStorageFile property of the file using the IStorageItemExtraProperties interface. System.ExpandoProperties contains the "originURL" property which is populated with the URL.
Note The URL is not handed off in the case when the server sends the content-disposition header.
Using the info presented in this topic helps ensure that users have a great file download experience.