Why is a call being made to an external site at all?

[mjlachman]

When using this library, it calls out to https://jimmywarting.github.io/StreamSaver.js/mitm.html to stream downloads. If I have the library included in my bundle, it should not be calling to any external site whatsoever to process a download. This is a huge security risk.

[wcroachie]

The only way to stream a download in all browsers requires that the Content-Disposition header in the response be set to Attachment, currently the only way of doing this is either configuring the server that way, or if you're going serverless, to run a service worker on a site served via https that intercepts the request and edits the headers. This is what streamsaver does, more or less, via an iframe.
If you want you can just download a copy of the mitm file and then host it wherever (i.e like a github.io site) so that you have control over it. This is what I do. You just have to set Streamsaver.mitm to my-site/mitm.html.