Downloading image from fancybox results in "download.txt" being sent to client and download fails with "forbidden"

[SeToY]

Hello there,

I think this has something to do with either my forum setup (on IIS) or the web.config that was rolled out since we started using XenForo 1.5 (and later upgraded to 2.2).

Every time I try to download an image from the fancybox, my browser prompts me to store a "download.txt" instead of the actual image. When actually trying to download the file, the download errors out with a "Failed - Forbidden".

Anyone knows where I might start the investigation?

Thanks!

 

[Paul B]

Does your web.config look like this?

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Imported Rule 1" stopProcessing="true">
                    <match url="^.*$" />
                    <conditions logicalGrouping="MatchAny">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" />
                    </conditions>
                    <action type="None" />
                </rule>
                <rule name="Imported Rule 2" stopProcessing="true">
                    <match url="^(data|js|styles|install)" />
                    <action type="None" />
                </rule>
                <rule name="Imported Rule 3" stopProcessing="true">
                    <match url="^.*$" />
                    <action type="Rewrite" url="index.php" />
                </rule>
            </rules>
        </rewrite>
        <httpErrors existingResponse="PassThrough" />
    </system.webServer>
</configuration>

 

[SeToY]

It contained those rules, but also others. I figured out what the issue was, thank you.

Apparently the download handler does not pass an "accept" header to the server, which I had disabled due to DDoS issues:

<rule name="Deny empty accept headers" stopProcessing="true">
    <match url=".*" />
    <conditions>
        <add input="{HTTP_ACCEPT}" pattern="^$" />
    </conditions>
    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You did not present an Accept header which is required for this site." />
</rule>

After removing that rule, everything works as expected.

Do you think passing an accept header in one of the next XF versions would be a reasonable suggestion?

 

[Paul B]

Feel free to make the suggestion - the dev's will make the decision as to whether to implement it or not.