fix(tldraw): fix download original for cross-origin assets#8090
Merged
MitjaBezensek merged 3 commits intomainfrom Feb 26, 2026
Merged
fix(tldraw): fix download original for cross-origin assets#8090MitjaBezensek merged 3 commits intomainfrom
MitjaBezensek merged 3 commits intomainfrom
Conversation
MitjaBezensek
added
the
dotcom-hotfix-please
|
The latest updates on your projects. Learn more about Vercel for GitHub.
5 Skipped Deployments
|
MitjaBezensek
commented
Feb 25, 2026
| link.download = asset.props.name | ||
| } else { | ||
| link.download = 'download' | ||
| if (!url) continue |
Contributor
Author
There was a problem hiding this comment.
Felt like continue is better here.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
MitjaBezensek
temporarily deployed
to
bemo-canary
GitHub Actions
Inactive
MitjaBezensek
had a problem deploying
to
e2e-dotcom
GitHub Actions
Failure
| } | ||
| document.body.appendChild(link) | ||
| link.click() | ||
| document.body.removeChild(link) |
There was a problem hiding this comment.
trackEvent fires when no download occurs
Low Severity
trackEvent('download-original', ...) runs after the loop even when no asset was downloaded or opened. With continue on null URL, all shapes can be skipped and the loop finishes without any user-facing action, yet the event is still recorded.
MitjaBezensek
force-pushed
the
mitja/download-original
branch
from
06002d9 to
9474ae4
Compare
MitjaBezensek
temporarily deployed
to
bemo-canary
GitHub Actions
Inactive
MitjaBezensek
temporarily deployed
to
e2e-dotcom
GitHub Actions
Inactive
MitjaBezensek
force-pushed
the
mitja/download-original
branch
from
9474ae4 to
a3eec94
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable autofix in the Cursor dashboard.
MitjaBezensek
temporarily deployed
to
bemo-canary
GitHub Actions
Inactive
MitjaBezensek
temporarily deployed
to
e2e-dotcom
GitHub Actions
Inactive
huppy-bot bot
pushed a commit
that referenced
this pull request
Feb 26, 2026
"Download original" was broken in production because assets are hosted on `tldrawusercontent.com` (cross-origin from `tldraw.com`). Browsers ignore `<a download>` for cross-origin URLs and navigate instead of downloading. This replaces the `<a>` link approach with fetch + blob. Blob URLs are always same-origin, so `<a download>` works correctly. Falls back to `window.open` if the fetch fails (e.g. CORS blocked). This would also work for SDK user that also host images on a separate domain, which is why I feel that doing the fix in the SDK code is the right way to go. ### Change type - [x] `bugfix` ### Test plan 1. Upload an image on tldraw.com 2. Select it → click download icon in toolbar → browser downloads with correct filename 3. Right-click → "Download original" → same behavior 4. Test with video asset ### Release notes - Fixed "Download original" not triggering a download for cross-origin assets <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes the asset download flow to fetch and blob-create files, which can be affected by CORS/network failures and browser memory usage, but is scoped to a single UI action with a safe fallback. > > **Overview** > Fixes **`Download original`** for image/video shapes when the asset URL is cross-origin by replacing the `<a download>` navigation approach with `fetch` → `blob` → `File` and triggering download via the shared `downloadFile` helper. > > Also makes multi-selection more robust by skipping shapes whose resolved URL is missing (instead of aborting the whole loop) and falling back to `openWindow(url, '_blank')` if the fetch/download path fails (e.g. CORS blocked). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f6c3ced. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
huppy-bot bot
added a commit
that referenced
this pull request
Feb 26, 2026
This is an automated hotfix for dotcom deployment. Original PR: #8090 Original Author: @MitjaBezensek
steveruizok
added a commit
that referenced
this pull request
Feb 27, 2026
Add 12 new entries from PRs merged since v4.4.0: - Featured: click-through on transparent image pixels (#7942) - API: enum-to-const-object refactor (#8084) - Improvements: SVG sanitizer (#7896), save-on-blur (#8037) - Bug fixes: cross-origin download (#8090), zero-size draw (#8067), rich text toolbar cleanup (#8050), zoom threshold (#8040), selection foreground fallback (#8011), sticky note SVG shadow (#7934), arrow frame clamping (#7932), zero pressure draw (#5693)
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
"Download original" was broken in production because assets are hosted on
tldrawusercontent.com(cross-origin fromtldraw.com). Browsers ignore<a download>for cross-origin URLs and navigate instead of downloading.This replaces the
<a>link approach with fetch + blob. Blob URLs are always same-origin, so<a download>works correctly. Falls back towindow.openif the fetch fails (e.g. CORS blocked).This would also work for SDK user that also host images on a separate domain, which is why I feel that doing the fix in the SDK code is the right way to go.
Change type
bugfixTest plan
Release notes
Note
Medium Risk
Changes the asset download flow to fetch and blob-create files, which can be affected by CORS/network failures and browser memory usage, but is scoped to a single UI action with a safe fallback.
Overview
Fixes
Download originalfor image/video shapes when the asset URL is cross-origin by replacing the<a download>navigation approach withfetch→blob→Fileand triggering download via the shareddownloadFilehelper.Also makes multi-selection more robust by skipping shapes whose resolved URL is missing (instead of aborting the whole loop) and falling back to
openWindow(url, '_blank')if the fetch/download path fails (e.g. CORS blocked).Written by Cursor Bugbot for commit f6c3ced. This will update automatically on new commits. Configure here.