We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=191037>. Don't inherit parent's CSP in PluginDocuments Inheriting the CSP in a PluginDocument causes <iframe src="foo.pdf"> to be blocked if the parent's CSP forbids <embed src="foo.pdf">, as the iframe turns into a PluginDocument with an <embed> tag inside it. The only exception is that the plugin-types directive is still inherited from a parent document to a child PluginDocument, which preserves the current behavior and is required by the CSP spec.
<rdar://problem/24383285>
I can't reproduce the bug this Blink revision fixed. index.html: ----------- <!DOCTYPE html> <iframe src="plugin-test.html"></iframe> plugin-test.html: ---------------- <!DOCTYPE html> <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> <iframe src="foo.pdf"></iframe> The above example displays the PDF as expected. Another attempt I made was to simulate what the tests in that revision simulated with a python server which responds to any GET request with Content-Type: application/x-webkit-netscape-test Content-Security-Policy: object-src 'none' <h2>test</h2> This causes WebKit to initiate a download of a plain text file containing the text "test" At no point does CSP block anything.
Additionally, this example also displays the PDF as expected. <!DOCTYPE html> <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> <iframe src="foo.pdf"></iframe>
(In reply to Ryan Reno from comment #3) > Additionally, this example also displays the PDF as expected. > > <!DOCTYPE html> > <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> > <iframe src="foo.pdf"></iframe> actually I don't know if that's expected or not? Maybe that's a separate issue.