In our Rails app that runs in Facebook canvas, we have a workflow where a logged in user can build a document and then download it.
When the file is ready we show a link to it. This is just a Rails action that renders using send_file in dev or head (with proper NGINX config) in production. This part works fine.
In order to have the file start downloading without opening a new browser tab, we had the link target an empty iframe.
This was working, but a while back, presumably due to a security change by Facebook, our link stopped working. The JavaScript errors show:
Refused to display document because display forbidden by X-Frame-Options.
Users can still open the link in a new tab and it will download the file and a quick fix is to make the link open a new browser tab, but that isn’t as good of a user experience.
We tried changing the X-Frame-Options in the headers and/or using meta tags, but this is canvas (running in an iframe), so that just stopped those views from displaying.
I also tried this form solution, but it didn’t do anything (I could have been doing it wrong).
Is there any way we can build a button or link that will start the file download without opening a new browser tab?
Do you need to set the target at all? With no target set would it not trigger a file download popup in the browser, but leave the current browser window/tab on the same content?