Bug 277416
| Summary: | Using back/forward buttons with PDF, and a CSP without connect-src 'self' | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Craig Francis <craig+webkit> |
| Component: | Assignee: | Nobody <webkit-unassigned> | |
| Status: | NEW | ||
| Severity: | Normal | CC: | a_protyasha, simon.fraser, thorton, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 17 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=166630 | ||
Craig Francis
If you follow a link to a PDF and it includes a Content-Security-Policy that does not allow connect-src 'self', then use the browsers back and forward buttons; when you go forwards (to view the PDF again) it won't render the PDF, it will show a grey window, and these errors in the dev tools console:
[Error] Refused to connect to [URL] because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (pdf, line 0)
[Error] Refused to connect to [URL] because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (pdf, line 0)
[Error] Refused to connect to [URL] because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (pdf, line 0)
Example at:
https://craig.dev/misc/safari/2024-07-21-pdf-connect/
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/133375947>