browser - How to block downloads in .NET WebBrowser control?

Question

I need to prevent the .NET WebBrowser control from showing any "Do you want to open or save this file?" and "Save As" dialogs. Instead, I want to display a message box telling users that file downloads are disabled for security reasons.

I started with the FileDownload event of WebBrowser, but it does not allow cancellation. Then, I used the approach from CodeProject: Extended .NET 2.0 WebBrowser Control to implement my own event based on the original COM call using the interface DWebBrowserEvents2. When I fixed the code according to an MS knowledge base entry about a bug with the FileDownload signature, the event handler was called and I was able to cancel the download.

This does not work with all downloads, though: download URLs pointing to an URL including .exe raise the event and can be cancelled before the dialog appears - but for others (like .do), the event handler is not called until the user clicks Open, Save or Cancel in the dialog.

A possible solution might be to intercept WH_CALLWNDPROCRET messages and 'answer' the dialog before it is shown to the user, but it sounds like much effort and I also would prefer a cleaner solution...

Does anybody know how to reliably block all downloads?

Answer 1

You could use Navigating event which allows cancellation.

Inside of this event, you could try to connect to URL that's being navigated yourself, inspect http response headers and cancel navigating if inappropriate ContentType is detected.

System.Net.WebRequest request = System.Net.WebRequest.Create(e.Url);

// we need only header part of http response
request.Method = "HEAD";

System.Net.WebResponse response = request.GetResponse();

// only text/html, text/xml, text/plain are allowed... extend as required
if (!response.ContentType.StartsWith("text/"))
{
  e.Cancel = true;
  MessageBox.Show("Not allowed for security resons...");
}

Obviously this is not bullet-proof solution but can give you an idea how to get started (if you don't mind extra tiny roundtrip just to retrieve http response headers).

Jens Bannmann wrote:

This is not ideal, as I'm dealing with web applications where the extra request might trigger an action being carried out twice :-(

Then I would create some simple proxy server that would inspect all received data and would filter out all http responses that could trigger "Save as" dialog in your web-browser control.

Simply, don't let your web-browser control directly access the internet but delegate all http requests to your special proxy server that will filter out all unsafe responses from the web.