Bug 223576
| Summary: | Safari needs csp with object-src : 'self' to render a PDF | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | alexandre robuchon <alexandre.robuchon> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | achristensen, bfulgham, katherine_cheney, thorton |
| Priority: | P2 | ||
| Version: | Safari 14 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
alexandre robuchon
Macos: 10.15.7
Safari: Version 14.0 (15610.1.28.1.9, 15610)
A pdf served with Content-Security-Policy header to "default-src 'none'; style-src 'self' 'unsafe-inline';" is not displayed in Safari. It complains about not having 'object-src' set to 'self'.
This header works fine in Chrome, Edge, Firefox ...
Is it something that will be fixed or is it the intended behavior ?
thanks.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
This seems unlikely to be intended if it's different from other browsers. Probably an artifact of having PDF loading implemented using plugin code paths.
Tim Horton
Kate, is this related to https://trac.webkit.org/changeset/271650/webkit?
Tim Horton
(or maybe a dupe of it?)
alexandre robuchon
It looks related indeed. Sorry I didn't find the ticket.
Is the patch in 14.0.3 or do I need to get the nightly to test this ?
Kate Cheney
(In reply to alexandre robuchon from comment #4)
> It looks related indeed. Sorry I didn't find the ticket.
>
>
> Is the patch in 14.0.3 or do I need to get the nightly to test this ?
You should be able to test it using the latest Safari Technology Preview (https://developer.apple.com/safari/technology-preview/).
alexandre robuchon
It works like a charm. No plugin error.
alexandre robuchon
*** This bug has been marked as a duplicate of bug 220665 ***