earlymorning.dev / Firebase / Download an object

Download an object

general considerations

Any download only works if the object we target exists.

The access control varies between the download methods.

download a blob (browser)

We attempt to trigger a background download programmatically. The browser only allows the download if the firebase server has set a CORS header that targets our domain. As such, we have to whitelist our domain, through gsutil

If the CORS header is present, we request, receive and store the binary data into the browser's memory, encapsulated in a Blob object. We create a local URL that refers to it and trigger the download imperatively.

getBlob(fileRef).then((blob) => {
	// create the URL and trigger download imperatively
})

get a download HTTP URL

We request a new download URL. Such URL remains valid unless explicitely revoked. Access control is done when creating the URL. The use of the URL is not controlled nor restricted.

getDownloadURL(fileRef).then(url => ...)

The URL refers to a Google domain, and there is no cross-origin access (CORS) header by default.

HTTP URL: browser specifics

Due to cross-origin, the browser prevents the user from doing a direct download when clicking on a download anchor tag. Instead, clicking the download anchor tag navigates to the URL and the content displays with no download.

When we make use of the URL in a media element's src attribute, there is no download on the user's filesystem, so the browser display the content immediately even though it's cross-origin.

Due to the absence of the CORS header by default, the browser does not allow fetching the data in the background. We may enable the CORS header if such background download is important.

earlymorning logo

© 2025 - All rights reserved

earlymorning.dev / Firebase / Download an object

Download an object

general considerations

Any download only works if the object we target exists.

The access control varies between the download methods.

download a blob (browser)

We attempt to trigger a background download programmatically. The browser only allows the download if the firebase server has set a CORS header that targets our domain. As such, we have to whitelist our domain, through gsutil

If the CORS header is present, we request, receive and store the binary data into the browser's memory, encapsulated in a Blob object. We create a local URL that refers to it and trigger the download imperatively.

getBlob(fileRef).then((blob) => {
	// create the URL and trigger download imperatively
})

get a download HTTP URL

We request a new download URL. Such URL remains valid unless explicitely revoked. Access control is done when creating the URL. The use of the URL is not controlled nor restricted.

getDownloadURL(fileRef).then(url => ...)

The URL refers to a Google domain, and there is no cross-origin access (CORS) header by default.

HTTP URL: browser specifics

Due to cross-origin, the browser prevents the user from doing a direct download when clicking on a download anchor tag. Instead, clicking the download anchor tag navigates to the URL and the content displays with no download.

When we make use of the URL in a media element's src attribute, there is no download on the user's filesystem, so the browser display the content immediately even though it's cross-origin.

Due to the absence of the CORS header by default, the browser does not allow fetching the data in the background. We may enable the CORS header if such background download is important.