earlymorning.dev / Firebase / Download an object

Download an object

general considerations

A download only works if the object exists.

The access control varies based on the download method.

A download to the user computer may involve several steps.

download a blob (browser) and expose it as a local URL

Downloading a blob is invisible to the user and happens in the background. The browser expects the server to have a CORS header authorizing our domain as part of a whitelist, that we may set with gsutil. Otherwise, the browser refuses the operation.

If the browser allows it, it download the data and stores into memory, as a Blob object.

getBlob(fileRef).then((blob) => {
    // create the URL and trigger download imperatively
})

We may create a local URL that refers to the blob in memory and trigger a download from that local URL.

get a download HTTP URL

Alternatively, we may directly request a download URL from Firebase. Such URL remains valid unless explicitely revoked. Access control is done at URL creation time. Once the URL is created, it may be consumed without access control checks.

getDownloadURL(fileRef).then(url => ...)

The URL points to a Google domain. Such domain does not add CORS headers by default.

HTTP URL: browser specifics

Due to cross-origin, the browser prevents the user from doing a direct download when clicking on a download anchor tag. Instead, the browser performs a navigation, ignore any download attribute.

When we make use of the URL in a media element's src attribute, there is no download on the user's filesystem, so the browser display the content immediately even though it's cross-origin.

Due to the absence of the CORS header by default, the browser does not allow fetching the data in the background. We may enable the CORS header if such background download is important.

earlymorning logo

© 2025 - All rights reserved

earlymorning.dev / Firebase / Download an object

Download an object

general considerations

A download only works if the object exists.

The access control varies based on the download method.

A download to the user computer may involve several steps.

download a blob (browser) and expose it as a local URL

Downloading a blob is invisible to the user and happens in the background. The browser expects the server to have a CORS header authorizing our domain as part of a whitelist, that we may set with gsutil. Otherwise, the browser refuses the operation.

If the browser allows it, it download the data and stores into memory, as a Blob object.

getBlob(fileRef).then((blob) => {
    // create the URL and trigger download imperatively
})

We may create a local URL that refers to the blob in memory and trigger a download from that local URL.

get a download HTTP URL

Alternatively, we may directly request a download URL from Firebase. Such URL remains valid unless explicitely revoked. Access control is done at URL creation time. Once the URL is created, it may be consumed without access control checks.

getDownloadURL(fileRef).then(url => ...)

The URL points to a Google domain. Such domain does not add CORS headers by default.

HTTP URL: browser specifics

Due to cross-origin, the browser prevents the user from doing a direct download when clicking on a download anchor tag. Instead, the browser performs a navigation, ignore any download attribute.

When we make use of the URL in a media element's src attribute, there is no download on the user's filesystem, so the browser display the content immediately even though it's cross-origin.

Due to the absence of the CORS header by default, the browser does not allow fetching the data in the background. We may enable the CORS header if such background download is important.