#linamarythomas_code

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1483275371968331948

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

a file (binary content) from an authenticated backend API inside a Stripe UI Extension?
Could you clarify a bit more here? Which Doc/flow are you following?

Sure Orakaro!

We're following the Content Security Policy docs at https://docs.stripe.com/stripe-apps/content-security-policy and the general Build a UI guide, but neither mentions file downloads.

There is no documented flow for downloading binary files from an authenticated backend. The CSP docs explain how to allowlist connect-src domains for fetch(), which we've done successfully — our API call works
and we receive the file data. The problem is the last step: getting that binary data to the user as a downloadable file.
window.open() and programmatic <a>.click() are both silently blocked. Link href only works for HTTPS URLs, not blob URLs. Is there a supported pattern for this, or should we redesign our backend to return a pre-signed URL instead of binary content?

Hmm https://docs.stripe.com/stripe-apps/content-security-policy doesn't exist. Could you double check the URL?

Sorry

its this one

https://docs.stripe.com/security/guide#content-security-policy

Sorry but I think I am missing the right link which I referred to

But the issue is that we're following the general Build a UI guide but there's no documented flow for downloading binary files from an authenticated backend.
Our API call works fine and we receive the binary data successfully. The problem is the last step: getting that binary data to the user as a downloadable file.

We've tried: 1. window.open(blobUrl, '_blank') — silently does nothing 2. <Link href={blobUrl} target="_blank"> — silently does nothing (blob URL created in the extension iframe is not accessible from the host)
3. // We are assuming this will work (HTTPS URLs):
<Link href="https://example.com/file.zip" target="_blank">Download</Link>

Yeah I am trying to grasp which part you are generating the file. Is the authenticated backend that you managed the one who generated that file?

Yes, thats right. The file is generated and served by our backend. The flow is:

1. User clicks "Download" in the extension 2. Extension calls our backend API (fetch() with Stripe signature auth headers) 3. Our backend verifies the signature and returns the ZIP file as binary content (application/zip)

The fetch succeeds and we receive the binary data. The problem is step 4 — we can't find a way to present that file to the user from within the app(extension sandbox).

Um I think Stripe App UI extension is a sandbox iframe which doesn't allow you to trigger download anyway. How about letting your backend to return a downloadable URL instead of the binary data?

The you can use this Link component: https://docs.stripe.com/stripe-apps/components/link