After recent updates, can no longer download files in IE 11


  • Sometime in the last few weeks, MS pushed out IE 11 updates on Windows 10 which I believe may be interfering with the ability to download PDF files inside an iframe in my ASP.NET web application.

    This issue applies only to IE 11 (11.192.16299.0) on Windows 10, it has not been reported to us with other configurations. My colleagues operating with older versions of IE 11 do not experience the issue.

    My application has an iframe, in which our own content can be loaded. After loading a page into the iframe and attempting a file download within that iframe, it appears to the user that nothing happens. Inspecting the console, I notice the following two warnings, which have been present in the application for quite some time:

    SEC7131: Security of a sandboxed iframe is potentially compromised by allowing script and same origin access.
    DOM7011: The code on this page disabled back and forward caching. For more information, see:

    Inspecting network traffic, I can see the file request go out, and a response come back. The response has the following headers:

    Cache-Control: no-cache, no-store
    Content-Dis; filename=doc.pdf
    Content-Length: 97542
    Content-Type: application/pdf
    Date: Thu, 25 Jan 2018 18:27:37 GMT
    Expires: -1
    Pragma: no-cache
    Server: Microsoft-IIS/10.0
    X-UA-Compatible: IE=Edge

    This appears to be a normal request to me. Cache-Control is properly set to no-cache, as the document contents are dynamically generated.

    And finally, here is the code in my codebehind that initiates the file download:

    Public Sub DownloadPdf() Handles Pdf.Click
        Dim pdf As Byte() = GetPdf()
        With Response
            With .Cache
                .SetMaxAge(New TimeSpan(0, 0, 30))
            End With
            .ContentType = "application/pdf"
            .AddHeader("Content-Disposition", "attachment; filename=doc.pdf")
            .AddHeader("Content-Length", pdf.Length.ToString)
        End With
    End Sub

    It is fair to assume GetPdf() is working properly, as the PDF generates and downloads in other browsers. Are there any apparent issues with my setup? Were there any security or settings changes that accompanied recent MS updates that could be interfering with my application?

    I appreciate any and all help with this. Thanks for looking.

    Thursday, January 25, 2018 6:39 PM

All replies

  • Hi anderson1423,

    According to your description, I suggest you could check the security setting in the ie option.

    If this issue still shows, I suggest you could report this issue in the ie feedback. 

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact

    Friday, January 26, 2018 4:24 AM
  • Brando,

    Thanks for your reply. I checked my settings, and they currently match the options you showed in your image. The MS Developer link you provided appears to be for Edge-related issues, is this the correct place to report my problem?

    Friday, January 26, 2018 3:48 PM
  • Hi,

    PDF documents are hosted by third-party activex controls in IE. eg. Adobe PDF document reader... Use the Tools>Manage Addons>Show all addons to manage and identify which PDF document reader application your company is using. You should have both the x86 and x64 versions of your third-party PDF document reader installed (x86 chips will only have the x86 version installed). By default the Intranet zone will use 32 bit processes, other zones 64bit processes.

    SEC7131: Security of a sandboxed iframe is potentially compromised by allowing script and same origin access.

    Navigation outcomes (downloads) are dependant on the IE Security zone mapping of home domain and the resource domain. Use the File>Properties dialog to determine which IE security zone your dev/test and production environments map to. (same origin).

    ActiveX controls may also be blocked by ActiveX filtering (off by default for the Intranet zone).

    Tools>Internet Options>Advanced tab, uncheck "Do not save encrypted files to disk" is a common cause of secured content not being available for download.

    To debug your site, first go Tools>Internet Options>Advanced tab, check "Always record developer console messages". Save changes.

    Close and re-open IE. Navigate to about:blank and press f12 to display the dev tool.

    On the Networking tab, click the start button.

    On the Debug tab, select "Always break on exceptions" from the dropdown. (looks like a stop sign)

    Return to the blank page (without closing the dev tool) and navigate to your test/dev/production environment... the console and networking tabs will list the response codes and error messages for markup, security, XSS and blocked content (ActiveX filtering, tracking protection)

    Use the File>Properties menu to confirm that the dev/test/production domain maps to the expected IE security zone.

    Use the Emulation tab on the dev tool to confirm that the site domain is using the emulation mode you expect.

    If possible include links to your website or a jsfiddle mashup with your questions.



    Sunday, January 28, 2018 12:32 AM
  • Rob,

    Thank you for your detailed response! I inspected each of the settings you mentioned, and everything appeared to be configured as you said. I set my dev console to break on all exceptions, and went through the file download process again. No exceptions occurred. I tested using both a local instance of the application and a deployed instance.

    As before, I can see the network request go through, and return with a non-empty response. I have not noticed any change. Do you have any additional ideas?

    Thanks again for looking into it for me.

    Monday, January 29, 2018 6:20 PM
  • Hi,

    You did not mention which PDF viewer application or version you are using. If you are using an older version of Adobe PDF, it uses a satellite BHO to open PDF documents in the viewer frame within IE. Tools>Manage Addons>Show all addons, locate your PDF viewer application, and then double-click the item to display its properties page....for its vendor and version details.

    Here is mine...

    Name:                   Adobe PDF Reader
    Publisher:              Adobe Systems, Incorporated
    Type:                   ActiveX Control
    Architecture:           32-bit and 64-bit
    Version:                17.12.20093.238000
    File date:              ‎Thursday, ‎24 ‎August ‎2017, ‏‎10:10 PM
    Date last accessed:     ‎Friday, ‎26 ‎January ‎2018, ‏‎10:37 AM
    Class ID:               {CA8A9780-280D-11CF-A24D-444553540000}
    Use count:              222
    Block count:            486
    File:                   AcroPDF64.dll
    Folder:                 C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

    If your Adobe PDF viewer version 12 or less, then it is out of date and is using the PDF link helper BHO (which controls how PDF documents are opened in the browser context). You need to update to the latest version of their product and have both the x86 and x64 versions installed on x64 computers. (32bit versions on x86 processors).

    Other reasons why you may not be able to download (how? eg. right click link and select 'Save file as' or click Download link on web page (which web page?) are

    IE security settings or your companys' IT departments IE security zone mapping. File>Properties will tell you which IE security zone your website is mapped to.

    The code behind in your intranet application ( is using the wrong coding and is sending back the wrong content length. Use the Networking tab of the dev tool to inspect the response header of the returned pdf document.

    .... as mentioned.... your outcomes depend on WHICH third-party PDF viewer plugin/ActiveX control you are using, your IE security zone mapping and settings and the coding of the download link on your website/intranet.



    Monday, January 29, 2018 8:28 PM
  • Here is the info on my PDF plugin:

    Name:                   Adobe PDF Reader
    Publisher:              Adobe Systems, Incorporated
    Type:                   ActiveX Control
    Architecture:           32-bit and 64-bit
    Version:                15.16.20039.185268
    File date:              ‎Thursday, ‎June ‎30, ‎2016, ‏‎6:55 AM
    Date last accessed:     ‎Monday, ‎April ‎24, ‎2017, ‏‎9:27 AM
    Class ID:               {CA8A9780-280D-11CF-A24D-444553540000}
    Use count:              8
    Block count:            0
    File:                   AcroPDF64.dll
    Folder:                 C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

    The download process is triggered by a button click as the codebehind from the code snippet above demonstrates. Right clicking the button does not give a file download option, as the file doesn't exist until the button is clicked and the document is created. The button is expected to trigger a file download, rather than displaying the file in browser, for what it's worth.

    I should mention that I also have Microsoft Excel file downloads in the web application, which are similarly not working. Both PDF and MS Excel file downloads are confirmed to be working correctly in Edge, Chrome, and Firefox, which to me indicates that the files are built and transferred properly.

    Regarding the IE security settings, I did go through the settings you mentioned previously, for both the Internet zone (for a deployed application instance) and for the Local Intranet zone (for a local instance). I tested downloads using separate instances, one in each zone. Downloads failed in each case in IE, but work as expected in other browsers. Other users on the application report that the problem began after upgrading to Windows 10, leading me to believe a setting change is causing the issue, but I haven't been able to determine the root of the problem yet.

    Monday, January 29, 2018 9:46 PM
  • In certain Windows 10 builds (confirmed for 1703 and 1709), IE security settings were changed to prevent sandboxed iframe file downloads. There is no settings change or workaround I discovered that can resolve this other than removing sandboxing from the iframe.
    Wednesday, February 28, 2018 2:59 PM
  • I have just come across this issue in our own application.

    Removing the sandbox attribute on our iframe did NOT resolve the problem.  The only "fix" I have found is to remove the Content-Disposition header from the response. I quoted 'fix' since this isn't really a fix. It gets rid of the file name that our users are familiar with when downloading reports.  I will also have to touch a huge portion of code to remove this since this code is on every page of our large reporting section.

    Tuesday, October 9, 2018 6:28 PM