Bug 223576

Summary: Safari needs csp with object-src : 'self' to render a PDF
Product: WebKit Reporter: alexandre robuchon <alexandre.robuchon>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: achristensen, bfulgham, katherine_cheney, thorton
Priority: P2    
Version: Safari 14   
Hardware: Unspecified   
OS: Unspecified   

Description alexandre robuchon 2021-03-22 08:19:42 PDT 
Macos: 10.15.7 
Safari: Version 14.0 (15610.1.28.1.9, 15610)

A pdf served with Content-Security-Policy header to "default-src 'none'; style-src 'self' 'unsafe-inline';" is not displayed in Safari. It complains about not having 'object-src' set to 'self'.

This header works fine in Chrome, Edge, Firefox ...


Is it something that will be fixed or is it the intended behavior ?


thanks.
Comment 1 Alexey Proskuryakov 2021-03-22 12:50:56 PDT 
This seems unlikely to be intended if it's different from other browsers. Probably an artifact of having PDF loading implemented using plugin code paths.
Comment 2 Tim Horton 2021-03-22 13:35:46 PDT 
Kate, is this related to https://trac.webkit.org/changeset/271650/webkit?
Comment 3 Tim Horton 2021-03-22 13:35:54 PDT 
(or maybe a dupe of it?)
Comment 4 alexandre robuchon 2021-03-22 14:16:19 PDT 
It looks related indeed. Sorry I didn't find the ticket.


Is the patch in 14.0.3 or do I need to get the nightly to test this ?
Comment 5 Kate Cheney 2021-03-23 10:27:28 PDT 
(In reply to alexandre robuchon from comment #4)
> It looks related indeed. Sorry I didn't find the ticket.
> 
> 
> Is the patch in 14.0.3 or do I need to get the nightly to test this ?

You should be able to test it using the latest Safari Technology Preview (https://developer.apple.com/safari/technology-preview/).
Comment 6 alexandre robuchon 2021-03-23 11:54:40 PDT 
It works like a charm. No plugin error.
Comment 7 alexandre robuchon 2021-03-23 11:57:23 PDT 

*** This bug has been marked as a duplicate of bug 220665 ***