(Note: this page is an alternate explanation of the authoritative docs at https://godoc.org/git.curoverse.com/arvados.git/services/keep-web#hdr-Authorization_mechanisms)
Keep-web serves files from Keep collections as normal HTTP documents.
This is mitigated two ways:
- By serving files with "content-disposition: attachment" which tells the browser to open up the download dialog straight away and don't try to show the files.
- Using separate a separate domain for downloading, so the browser won't send workbench cookies.
This raises the challenge: how to provide the API token to keep-web to enable download?
keepweb accepts an API token the following ways:
- With a cookie called
/t=xxx/at the start of the path
- when doing a GET request, the API token must be either part of the request URI or a header (browser does not send the workbench cookie when keep-web is on a different domain)
- We want to hide the API token from the user unless it is a "sharing" link