Merge pull request #29 from script-development/security/download-request-revoke-url

Goosterhof · web-flow · commit 241cb8a75cf1 · 2026-04-16T12:10:02.000+02:00
security(http): revoke object URL after downloadRequest click
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/http/package.json b/packages/http/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@script-development/fs-http",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "Framework-agnostic HTTP service factory with middleware architecture",
   "homepage": "https://packages.script.nl/packages/http",
   "license": "MIT",
diff --git a/packages/http/src/http.ts b/packages/http/src/http.ts
@@ -112,6 +112,10 @@ export const createHttpService = (baseURL: string, options?: HttpServiceOptions)
     link.href = window.URL.createObjectURL(blob);
     link.download = documentName;
     link.click();
+    // Revoke the object URL after the click so the browser can release the
+    // blob reference. The download itself captures its own reference during
+    // link.click(), so revoking here does not interrupt it.
+    window.URL.revokeObjectURL(link.href);
 
     return response;
   };
diff --git a/packages/http/tests/http.spec.ts b/packages/http/tests/http.spec.ts
@@ -24,6 +24,7 @@ beforeEach(() => {
   vi.stubGlobal("window", {
     URL: {
       createObjectURL: vi.fn(() => "blob:http://localhost/fake-object-url"),
+      revokeObjectURL: vi.fn(),
     },
   });
 
@@ -514,6 +515,28 @@ describe("createHttpService", () => {
         "No content type found",
       );
     });
+
+    it("revokes the object URL after triggering the download", async () => {
+      // Arrange
+      mock.onGet(`${BASE_URL}/download/file.pdf`).reply(200, "file-content", {
+        "content-type": "application/pdf",
+      });
+      const service = createHttpService(BASE_URL);
+      const mockLink = { href: "", download: "", click: vi.fn() };
+      vi.stubGlobal("document", {
+        createElement: vi.fn(() => mockLink),
+        cookie: "",
+      });
+
+      // Act
+      await service.downloadRequest("/download/file.pdf", "report.pdf");
+
+      // Assert — revoke fires with the same URL that was assigned to href
+      expect(window.URL.revokeObjectURL).toHaveBeenCalledTimes(1);
+      expect(window.URL.revokeObjectURL).toHaveBeenCalledWith(
+        "blob:http://localhost/fake-object-url",
+      );
+    });
   });
 
   describe("previewRequest", () => {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@script-development/fs-http",`
`3`		`- "version": "0.1.1",`
	`3`	`+ "version": "0.1.2",`
`4`	`4`	`"description": "Framework-agnostic HTTP service factory with middleware architecture",`
`5`	`5`	`"homepage": "https://packages.script.nl/packages/http",`
`6`	`6`	`"license": "MIT",`