Allowing users to save/download a runtime-generated file with the use of object URLs and the anchor download attribute is the only viable way of doing things at the moment. Bouncing the file through a server isn't acceptable for web applications that are supposed to act like native apps.
Ideally, the File API would provide a way for users to save a file, and I'm surprised this is still an issue. Writing a file to a user selected location is no less secure than allowing a user to download a file with an anchor. // Si
