Download in Browser

Download in Browser

Sometimes an application wants to embed a file into a page as a HTML element. An example would be when working with an audio player.

<audio controls>
  <source src="..." type="audio/mp3">
</audio>

In this case, using the regular download URL does not work because the dl.boxcloud.com domain does not support Cross Origin Resource Sharing.

Instead an application can use the following format.

https://api.box.com/2.0/files/[FILE_ID]/content?access_token=[ACCESS_TOKEN]

CORS

For this to work the application needs to have the domain of the web site hosting this file added to the list of allowed domains in the CORS settings.

Downscope Token

Using this method would expose the Access Token to the end user, allowing them to potentially use this token to do more than intended. For this reason we recommend downscoping this token accordingly.