Sep 06 2021 02:21 AM - edited Sep 06 2021 02:24 AM
Summary
The PDF reader in Microsoft Edge does not handle sensitive PDF documents as expected. Microsoft Edge attempts to download the PDF document a second time when you try to save the PDF document to the desktop.
Use case
a website offers the PDF files with secure one-time use only URL, for example:
https://secure.example.com/my/site?fileId=866e0a76a298781c8f58c6e5cd34
1. When the user opens the document from a website, the following HTTP response header/body is sent to Microsoft Edge:
HTTP/1.1 200 OK
Date: Fri, 03 Sep 2021 10:35:31 GMT
Server:
Cache-Control: no-cache, no-store, max-age=0
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Disposition: inline; filename=mypayslip.pdf; size=8521
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/pdf
Content-Language: en
e83
%PDF-1.4
5 0 obj
<<
/Type /XObject
...
2. The PDF reader in Microsoft Edge shows the PDF document directly in the browser UI (default behavior).
3. You click on the Save icon of the PDF viewer to save the payslip locally on the desktop.
4. For the 2nd time, Microsoft Edge *again* downloads the document with the same URL:
GET https://secure.example.com/my/site?fileId=866e0a76a298781c8f58c6e5cd34
--> The website does not allow this action as the URL is a one-time use only. Because of that, the HTTP response contains an HTML error page instead of the actual PDF document.
5. The PDF reader will still propose to Save the file with a filename of "site.html" but you'll not be saving the payslip. Instead, you're saving an HTML page.
Conclusion
It is not possible to save the PDF document to the desktop when using the PDF reader of Microsoft Edge, using the default setup of Microsoft Edge.
"Workaround" (because note really)
The only workaround for this is by *not* using the the internal PDF reader of Edge, but let Microsoft Edge download the PDF file instead:
This is obviously not desirable as you won't be able to use the internal PDF viewer anymore.
Points of Interest
Two interesting observations
Final Comments
In summary, why does Microsoft Edge tries to download the PDF document twice from the website? The entire document is already downloaded and available in the browser. Other browsers like Mozilla Firefox behave better then Microsoft Edge with exactly the same HTTP response headers.
I'd love to hear whether the behavior of PDF reader in Microsoft Edge is expected or not. Is this in accordance to the RFC specifications for the given HTTP response headers? Secondly, are there any changes to the HTTP response headers that could avoid the 2nd download attempt, while keeping the HTTP header "Cache-Control: no-cache, no-store, max-age=0" part of the HTTP response header?
Oct 06 2021 09:10 AM