View Full Version : Another Framework Upgrade Oddity

8 Sep 2017, 6:35 AM
I recently upgraded a chart-heavy dashboard application from ExtJS 5 to ExtJS 6.5 in Sencha Architext (4.2.2). I am now getting multiple warnings (one for each view in the project, I assume) when loading the application:

[W] Using Sencha's download server could expose your data and pose a security risk. Please see Ext.draw.Container#download method docs for more info. (component id=cartesian-1199)

This never happened with the orginal Ext 5.x application. I assume that Architect failed to bring in a required package or something. The external resource being loaded is: http://svg.sencha.io

And here is the bit of framework code where it's all going south:

Ext.define('Ext.draw.Container', {extend:Ext.draw.ContainerBase, alternateClassName:'Ext.draw.Component', xtype:'draw', defaultType:'surface', isDrawContainer:true, engine:'Ext.draw.engine.Canvas', config:{cls:[Ext.baseCSSPrefix + 'draw-container', Ext.baseCSSPrefix + 'unselectable'], resizeHandler:null, sprites:null, gradients:[], downloadServerUrl:undefined, touchAction:{panX:false, panY:false, pinchZoom:false, doubleTapZoom:false}, surfaceZIndexes:{main:1}}, defaultDownloadServerUrl:'http://svg.sencha.io', supportedFormats:['png', 'pdf', 'jpeg', 'gif'], supportedOptions:{version:Ext.isNumber, data:Ext.isString, format:function(format) {
return Ext.Array.indexOf(this.supportedFormats, format) >= 0;
}, filename:Ext.isString, width:Ext.isNumber, height:Ext.isNumber, scale:Ext.isNumber, pdf:Ext.isObject, jpeg:Ext.isObject}, initAnimator:function() {
this.frameCallbackId = Ext.draw.Animator.addFrameCallback('renderFrame', this);
}, applyDownloadServerUrl:function(url) {
var defaultUrl = this.defaultDownloadServerUrl;
if (!url) {
url = defaultUrl;
Ext.log.warn("Using Sencha's download server could expose your data and pose a security risk. " + 'Please see Ext.draw.Container#download method docs for more info. (component id\x3d' + this.getId() + ')');
return url;

Any ideas?

Thank You,
M. McConnell

8 Sep 2017, 6:51 AM
You can find more info here http://docs.sencha.com/extjs/6.5.0/classic/Ext.draw.Container.html#method-download
There is option download the chart as image or PDF. So you can simply call .download() and it creates you an image. It sends the chart data to the server and the server returns the image.

If I am not mistaken this is just warning and it should not be a problem unless you call the download method.


8 Sep 2017, 7:19 AM
Thank you. I actually didn't know the charts were being rendered on an external server. This seems less than secure, to put it mildly. I'll look into deploying the NodeJS server locally. I appreciate your help.

M. McConnell

8 Sep 2017, 8:06 AM
Hey, Petr....Forgive my ignorance, here, but what exactly is the server (local node or the svg.sencha.io) doing? Is it only used when a download method is invoked? I installed NodeJS and got the ExtJS supplied node server running on the default port (1337). I then changed the downloadServerUrl parameters on all charts to the local Node instance and the application runs just fine. However, I shut down the Node server, reloaded the application and it STILL runs just fine (not a single error message). Can I assume it's not using the Node server to do the rendering? Is the server only used to download or export an image of the chart? Just a bit confused here.....

M. McConnell

8 Sep 2017, 9:27 AM
Nn it's not used for the render. Render is done in the browser, it's only used when you want to generate PNG or PDF file of the chart ;-)

8 Sep 2017, 10:02 AM
OK...that makes sense, then. The way it was throwing error messages originally, I thought the remote server was doing some sort of rendering function and returning the result. Now that I think about it, that would make NO sense whatsoever.

Thanks Again,
M. McConnell