diff --git a/www/common/inner/common-modal.js b/www/common/inner/common-modal.js
index ee475c028..2e8c32e21 100644
--- a/www/common/inner/common-modal.js
+++ b/www/common/inner/common-modal.js
@@ -59,8 +59,8 @@ define([
             }), opts.href);
 
             // If this is a file, don't try to look for metadata
-            if (opts.channel && opts.channel.length > 34) { return; }
             if (opts.channel) { data.channel = opts.channel; }
+            if (!data.channel || data.channel.length > 32) { return; }
             Modal.loadMetadata(Env, data, waitFor);
         }).nThen(function () {
             cb(void 0, data);
diff --git a/www/common/outer/async-store.js b/www/common/outer/async-store.js
index da7f043f3..d60fffb5a 100644
--- a/www/common/outer/async-store.js
+++ b/www/common/outer/async-store.js
@@ -675,6 +675,8 @@ define([
                 sem.take(function (give) {
                     var otherOwners = false;
                     nThen(function (_w) {
+                        // Don't check server metadata for blobs
+                        if (c.length !== 32) { return; }
                         Store.anonRpcMsg(null, {
                             msg: 'GET_METADATA',
                             data: c
@@ -1807,6 +1809,7 @@ define([
             var cb = Util.once(Util.mkAsync(_cb));
 
             if (!data.channel) { return void cb({ error: 'ENOTFOUND'}); }
+            if (!data.channel.length !== 32) { return void cb({ error: 'EINVAL'}); }
             store.anon_rpc.send('GET_METADATA', data.channel, function (err, obj) {
                 if (err) { return void cb({error: err}); }
                 var metadata = (obj && obj[0]) || {};
diff --git a/www/common/outer/team.js b/www/common/outer/team.js
index a2dbf7c05..c151de004 100644
--- a/www/common/outer/team.js
+++ b/www/common/outer/team.js
@@ -678,6 +678,8 @@ define([
                 sem.take(function (give) {
                     var otherOwners = false;
                     nThen(function (_w) {
+                        // Don't check server metadata for blobs
+                        if (c.length !== 32) { return; }
                         ctx.Store.anonRpcMsg(null, {
                             msg: 'GET_METADATA',
                             data: c
diff --git a/www/common/sframe-common-outer.js b/www/common/sframe-common-outer.js
index f4f42707a..ea4cc7b8b 100644
--- a/www/common/sframe-common-outer.js
+++ b/www/common/sframe-common-outer.js
@@ -1266,6 +1266,9 @@ define([
                     var _parsed = Utils.Hash.parsePadUrl(metadata.roHref);
                     _secret = Utils.Hash.getSecrets(_parsed.type, _parsed.hash, metadata.password);
                 }
+                if (_secret.channel.length !== 32) {
+                    return void cb({error: 'EINVAL'});
+                }
                 var crypto = Crypto.createEncryptor(_secret.keys);
                 nThen(function (waitFor) {
                     // Try to get the owner's mailbox from the pad metadata first.
@@ -1325,6 +1328,9 @@ define([
                     var _parsed = Utils.Hash.parsePadUrl(metadata.href || metadata.roHref);
                     _secret = Utils.Hash.getSecrets(_parsed.type, _parsed.hash, metadata.password);
                 }
+                if (_secret.channel.length !== 32) {
+                    return void cb({error: 'EINVAL'});
+                }
                 var crypto = Crypto.createEncryptor(_secret.keys);
                 nThen(function (waitFor) {
                     // If we already have metadata, use it, otherwise, try to get it