fix: load Image/IFrame sources when disabled (CP: 24.10) (#24365) (CP: 24.9) (#24370)

vaadin-bot · web-flow · commit 46ff0c50dedf · 2026-05-19T09:45:38.000+03:00
When an Image or IFrame backed by a DownloadHandler lives inside a disabled component, the browser receives a 403 and the resource never loads. Image.setSrc(DownloadHandler) and IFrame.setSrc(DownloadHandler) now allow the resource to be served regardless of the owner's enabled state, since these sources are fetched passively as part of rendering rather than as a user action. Fixes #22772
diff --git a/flow-html-components/src/main/java/com/vaadin/flow/component/html/IFrame.java b/flow-html-components/src/main/java/com/vaadin/flow/component/html/IFrame.java
@@ -190,6 +190,12 @@ public void setSrc(AbstractStreamResource src) {
      * {@link DownloadHandler}, as well as for other
      * {@link AbstractDownloadHandler} implementations.
      *
+     * The handler is wrapped with {@link DownloadHandler#allowDisabled()} so
+     * that the iframe content is still served when the component, or one of its
+     * ancestors, is disabled. The browser fetches the content as part of
+     * rendering rather than as a user action, so blocking the request on the
+     * disabled state would leave the iframe empty.
+     *
      * @see #setSrc(String)
      *
      * @param downloadHandler
@@ -201,7 +207,7 @@ public void setSrc(DownloadHandler downloadHandler) {
             // where it is 'attachment' by default
             handler.inline();
         }
-        getElement().setAttribute("src", downloadHandler);
+        getElement().setAttribute("src", downloadHandler.allowDisabled());
     }
 
     /**
diff --git a/flow-html-components/src/main/java/com/vaadin/flow/component/html/Image.java b/flow-html-components/src/main/java/com/vaadin/flow/component/html/Image.java
@@ -156,6 +156,12 @@ public void setSrc(AbstractStreamResource src) {
      * {@link DownloadHandler}, as well as for other
      * {@link AbstractDownloadHandler} implementations.
      *
+     * The handler is wrapped with {@link DownloadHandler#allowDisabled()} so
+     * that the image is still served when the component, or one of its
+     * ancestors, is disabled. The browser fetches the image as part of
+     * rendering rather than as a user action, so blocking the request on the
+     * disabled state would leave the icon broken.
+     *
      * @param downloadHandler
      *            the download handler resource, not null
      */
@@ -165,7 +171,7 @@ public void setSrc(DownloadHandler downloadHandler) {
             // where it is 'attachment' by default
             handler.inline();
         }
-        getElement().setAttribute("src", downloadHandler);
+        getElement().setAttribute("src", downloadHandler.allowDisabled());
     }
 
     /**
diff --git a/flow-html-components/src/test/java/com/vaadin/flow/component/html/IFrameTest.java b/flow-html-components/src/test/java/com/vaadin/flow/component/html/IFrameTest.java
@@ -15,17 +15,19 @@
  */
 package com.vaadin.flow.component.html;
 
-import com.vaadin.flow.component.Component;
-import com.vaadin.flow.dom.Element;
-import com.vaadin.flow.server.streams.DownloadHandler;
-import com.vaadin.flow.server.streams.DownloadResponse;
-import com.vaadin.flow.server.streams.InputStreamDownloadHandler;
+import java.lang.reflect.Field;
 
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.ArgumentCaptor;
 import org.mockito.Mockito;
 
-import java.lang.reflect.Field;
+import com.vaadin.flow.component.Component;
+import com.vaadin.flow.dom.DisabledUpdateMode;
+import com.vaadin.flow.dom.Element;
+import com.vaadin.flow.server.streams.DownloadHandler;
+import com.vaadin.flow.server.streams.DownloadResponse;
+import com.vaadin.flow.server.streams.InputStreamDownloadHandler;
 
 public class IFrameTest extends ComponentTest {
 
@@ -68,6 +70,29 @@ public void testHasAriaLabelIsImplemented() {
         super.testHasAriaLabelIsImplemented();
     }
 
+    @Test
+    public void setSrc_downloadHandler_disabledUpdateModeIsAlways() {
+        Element element = Mockito.mock(Element.class);
+        class TestIFrame extends IFrame {
+            @Override
+            public Element getElement() {
+                return element;
+            }
+        }
+        // Plain lambda DownloadHandler, not an AbstractDownloadHandler subclass
+        DownloadHandler lambda = event -> {
+        };
+
+        new TestIFrame().setSrc(lambda);
+
+        ArgumentCaptor<DownloadHandler> captor = ArgumentCaptor
+                .forClass(DownloadHandler.class);
+        Mockito.verify(element).setAttribute(Mockito.eq("src"),
+                captor.capture());
+        Assert.assertEquals(DisabledUpdateMode.ALWAYS,
+                captor.getValue().getDisabledUpdateMode());
+    }
+
     @Test
     public void downloadHandler_isSetToInline() {
         Element element = Mockito.mock(Element.class);
diff --git a/flow-html-components/src/test/java/com/vaadin/flow/component/html/ImageTest.java b/flow-html-components/src/test/java/com/vaadin/flow/component/html/ImageTest.java
@@ -20,8 +20,10 @@
 
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.ArgumentCaptor;
 import org.mockito.Mockito;
 
+import com.vaadin.flow.dom.DisabledUpdateMode;
 import com.vaadin.flow.dom.Element;
 import com.vaadin.flow.server.streams.DownloadHandler;
 import com.vaadin.flow.server.streams.DownloadResponse;
@@ -52,6 +54,29 @@ public void emptyAltKeepsAttribute() {
         Assert.assertFalse(img.getElement().hasAttribute("alt"));
     }
 
+    @Test
+    public void setSrc_downloadHandler_disabledUpdateModeIsAlways() {
+        Element element = Mockito.mock(Element.class);
+        class TestImage extends Image {
+            @Override
+            public Element getElement() {
+                return element;
+            }
+        }
+        // Plain lambda DownloadHandler, not an AbstractDownloadHandler subclass
+        DownloadHandler lambda = event -> {
+        };
+
+        new TestImage().setSrc(lambda);
+
+        ArgumentCaptor<DownloadHandler> captor = ArgumentCaptor
+                .forClass(DownloadHandler.class);
+        Mockito.verify(element).setAttribute(Mockito.eq("src"),
+                captor.capture());
+        Assert.assertEquals(DisabledUpdateMode.ALWAYS,
+                captor.getValue().getDisabledUpdateMode());
+    }
+
     @Test
     public void downloadHandler_isSetToInline() {
         Element element = Mockito.mock(Element.class);
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/streams/DownloadHandler.java b/flow-server/src/main/java/com/vaadin/flow/server/streams/DownloadHandler.java
@@ -20,6 +20,7 @@
 import java.io.IOException;
 import java.util.Optional;
 
+import com.vaadin.flow.dom.DisabledUpdateMode;
 import com.vaadin.flow.dom.Element;
 import com.vaadin.flow.server.VaadinRequest;
 import com.vaadin.flow.server.VaadinResponse;
@@ -104,6 +105,59 @@ default void handleRequest(VaadinRequest request, VaadinResponse response,
         handleDownloadRequest(downloadEvent);
     }
 
+    /**
+     * Returns a view of this handler that is served even when the owning
+     * component is disabled.
+     * <p>
+     * By default a {@link DownloadHandler} inherits
+     * {@link DisabledUpdateMode#ONLY_WHEN_ENABLED} from
+     * {@link ElementRequestHandler}, which causes the framework to respond with
+     * HTTP 403 when the owning element is disabled. That is appropriate for
+     * action-style downloads such as a "save file" link on an
+     * {@code com.vaadin.flow.component.html.Anchor}, but not for resources that
+     * the browser fetches passively as part of rendering, such as the
+     * {@code src} of an icon or image inside a disabled container.
+     * <p>
+     * This method returns a wrapper that delegates
+     * {@link #handleDownloadRequest}, {@link #getUrlPostfix()} and
+     * {@link #isAllowInert()} to this handler and overrides
+     * {@link #getDisabledUpdateMode()} to return
+     * {@link DisabledUpdateMode#ALWAYS}. If this handler already reports
+     * {@code ALWAYS}, the same instance is returned.
+     *
+     * @return a {@link DownloadHandler} that is served regardless of the
+     *         owner's enabled state, or {@code this} if the disabled mode is
+     *         already {@link DisabledUpdateMode#ALWAYS}
+     */
+    default DownloadHandler allowDisabled() {
+        if (getDisabledUpdateMode() == DisabledUpdateMode.ALWAYS) {
+            return this;
+        }
+        DownloadHandler delegate = this;
+        return new DownloadHandler() {
+            @Override
+            public void handleDownloadRequest(DownloadEvent event)
+                    throws IOException {
+                delegate.handleDownloadRequest(event);
+            }
+
+            @Override
+            public String getUrlPostfix() {
+                return delegate.getUrlPostfix();
+            }
+
+            @Override
+            public boolean isAllowInert() {
+                return delegate.isAllowInert();
+            }
+
+            @Override
+            public DisabledUpdateMode getDisabledUpdateMode() {
+                return DisabledUpdateMode.ALWAYS;
+            }
+        };
+    }
+
     /**
      * Get a download handler for serving given {@link File}.
      * <p>
diff --git a/flow-server/src/test/java/com/vaadin/flow/server/streams/DownloadHandlerTest.java b/flow-server/src/test/java/com/vaadin/flow/server/streams/DownloadHandlerTest.java
@@ -0,0 +1,128 @@
+/*
+ * Copyright 2000-2026 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.flow.server.streams;
+
+import java.util.concurrent.atomic.AtomicReference;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import com.vaadin.flow.dom.DisabledUpdateMode;
+import com.vaadin.flow.dom.Element;
+import com.vaadin.flow.server.VaadinRequest;
+import com.vaadin.flow.server.VaadinResponse;
+import com.vaadin.flow.server.VaadinSession;
+
+public class DownloadHandlerTest {
+
+    @Test
+    public void allowDisabled_lambda_disabledUpdateModeIsAlways() {
+        DownloadHandler delegate = event -> {
+        };
+
+        DownloadHandler wrapped = delegate.allowDisabled();
+
+        Assert.assertEquals(DisabledUpdateMode.ALWAYS,
+                wrapped.getDisabledUpdateMode());
+    }
+
+    @Test
+    public void allowDisabled_lambda_forwardsHandleDownloadRequest()
+            throws Exception {
+        AtomicReference<DownloadEvent> received = new AtomicReference<>();
+        DownloadHandler delegate = received::set;
+
+        DownloadEvent event = new DownloadEvent(
+                Mockito.mock(VaadinRequest.class),
+                Mockito.mock(VaadinResponse.class),
+                Mockito.mock(VaadinSession.class), Mockito.mock(Element.class));
+
+        delegate.allowDisabled().handleDownloadRequest(event);
+
+        Assert.assertSame(
+                "Wrapped handler must forward the event to the delegate", event,
+                received.get());
+    }
+
+    @Test
+    public void allowDisabled_forwardsUrlPostfixAndAllowInert() {
+        DownloadHandler delegate = new DownloadHandler() {
+            @Override
+            public void handleDownloadRequest(DownloadEvent event) {
+            }
+
+            @Override
+            public String getUrlPostfix() {
+                return "icon.svg";
+            }
+
+            @Override
+            public boolean isAllowInert() {
+                return true;
+            }
+        };
+
+        DownloadHandler wrapped = delegate.allowDisabled();
+
+        Assert.assertEquals("icon.svg", wrapped.getUrlPostfix());
+        Assert.assertTrue(wrapped.isAllowInert());
+    }
+
+    @Test
+    public void allowDisabled_abstractDownloadHandlerWrapped_modeIsAlways_inlinePreserved() {
+        InputStreamDownloadHandler handler = DownloadHandler
+                .fromInputStream(event -> DownloadResponse.error(500));
+        handler.inline();
+
+        DownloadHandler wrapped = handler.allowDisabled();
+
+        Assert.assertEquals(DisabledUpdateMode.ALWAYS,
+                wrapped.getDisabledUpdateMode());
+        // The wrap does not interfere with the original handler's inline state
+        Assert.assertTrue(handler.isInline());
+    }
+
+    @Test
+    public void allowDisabled_isIdempotent_returnsSameInstance() {
+        DownloadHandler alwaysAllowed = new DownloadHandler() {
+            @Override
+            public void handleDownloadRequest(DownloadEvent event) {
+            }
+
+            @Override
+            public DisabledUpdateMode getDisabledUpdateMode() {
+                return DisabledUpdateMode.ALWAYS;
+            }
+        };
+
+        Assert.assertSame(
+                "allowDisabled() on a handler that is already ALWAYS must be a no-op",
+                alwaysAllowed, alwaysAllowed.allowDisabled());
+    }
+
+    @Test
+    public void allowDisabled_doubleWrap_returnsFirstWrapper() {
+        DownloadHandler delegate = event -> {
+        };
+        DownloadHandler wrappedOnce = delegate.allowDisabled();
+        DownloadHandler wrappedTwice = wrappedOnce.allowDisabled();
+
+        Assert.assertSame(
+                "Wrapping a handler that is already ALWAYS must be a no-op",
+                wrappedOnce, wrappedTwice);
+    }
+}
diff --git a/flow-tests/test-root-context/src/main/java/com/vaadin/flow/uitest/ui/DisabledImageDownloadHandlerView.java b/flow-tests/test-root-context/src/main/java/com/vaadin/flow/uitest/ui/DisabledImageDownloadHandlerView.java
diff --git a/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/DisabledImageDownloadHandlerIT.java b/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/DisabledImageDownloadHandlerIT.java

Original file line number	Diff line number	Diff line change
`@@ -190,6 +190,12 @@ public void setSrc(AbstractStreamResource src) {`
`190`	`190`	`* {@link DownloadHandler}, as well as for other`
`191`	`191`	`* {@link AbstractDownloadHandler} implementations.`
`192`	`192`	`*`
	`193`	`+ * The handler is wrapped with {@link DownloadHandler#allowDisabled()} so`
	`194`	`+ * that the iframe content is still served when the component, or one of its`
	`195`	`+ * ancestors, is disabled. The browser fetches the content as part of`
	`196`	`+ * rendering rather than as a user action, so blocking the request on the`
	`197`	`+ * disabled state would leave the iframe empty.`
	`198`	`+ *`
`193`	`199`	`* @see #setSrc(String)`
`194`	`200`	`*`
`195`	`201`	`* @param downloadHandler`
`@@ -201,7 +207,7 @@ public void setSrc(DownloadHandler downloadHandler) {`
`201`	`207`	`// where it is 'attachment' by default`
`202`	`208`	`handler.inline();`
`203`	`209`	`}`
`204`		`- getElement().setAttribute("src", downloadHandler);`
	`210`	`+ getElement().setAttribute("src", downloadHandler.allowDisabled());`
`205`	`211`	`}`
`206`	`212`
`207`	`213`	`/**`