Inline styles added by WebKit when viewing PDFs cause CSP violation 
https://bugs.webkit.org/show_bug.cgi?id=166630
Summary Inline styles added by WebKit when viewing PDFs cause CSP violation
j162011
Reported 2016-12-31 05:03:55 PST
If a site has a CSP that disallows inline styles then a CSP violation report is sent when viewing a PDF Steps to reproduce 1) View a PDF document [1] on a site with a CSP that disallows inline styles 2) Open developer tools and look at the console Actual results * An error message showing a CSP violation is shown [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-1kQs8h/ra9YlH+s6eZbKdSD/cn6Ljcz2Rv60pJnk/eY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. Expected results A CSP violation should not happen. The inline styles could be moved to a stylesheet to stop this happening [1] for example: https://cuoc.soc.srcf.net/eventdetails/2015/cityrace/flyer.pdf At the time of the bug report, the CSP on document [1] was Content-Security-Policy-Report-Only: default-src 'self'; script-src 'none'; img-src * data:; child-src 'none'; block-all-mixed-content; report-uri https://cfdfb69390e4d94a41b74106a231c475.report-uri.io/r/default/csp/reportOnly
Attachments
Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-12-31 09:17:21 PST
(In reply to comment #0) > [Report Only] Refused to apply inline style because it violates the > following Content Security Policy directive: "default-src 'self'". Either > the 'unsafe-inline' keyword, a hash > ('sha256-1kQs8h/ra9YlH+s6eZbKdSD/cn6Ljcz2Rv60pJnk/eY='), or a nonce > ('nonce-...') is required to enable inline execution. Note also that > 'style-src' was not explicitly set, so 'default-src' is used as a fallback. > I am assuming that you encountered this issue in Safari/WebKit (will check shortly) as this error message is from Chrome/Blink. What version and build number of Safari did you encounter this issue? You can find this version information in Safari > About Safari (the build number will be in parentheses).
j162011
Comment 2 2016-12-31 09:56:25 PST
(In reply to comment #1) > (In reply to comment #0) > > [Report Only] Refused to apply inline style because it violates the > > following Content Security Policy directive: "default-src 'self'". Either > > the 'unsafe-inline' keyword, a hash > > ('sha256-1kQs8h/ra9YlH+s6eZbKdSD/cn6Ljcz2Rv60pJnk/eY='), or a nonce > > ('nonce-...') is required to enable inline execution. Note also that > > 'style-src' was not explicitly set, so 'default-src' is used as a fallback. > > > > I am assuming that you encountered this issue in Safari/WebKit (will check > shortly) as this error message is from Chrome/Blink. What version and build > number of Safari did you encounter this issue? You can find this version > information in Safari > About Safari (the build number will be in > parentheses). Actually I encountered this issue in the following: * Google Chrome 55.0.2883.87 m (64-bit) * Google Chrome 57.0.2968.0 canary (64-bit) * Opera 42.0.2393.94 All the above have [AppleWebKit/537.36] in the browser useragent I assumed it was an issue with WebKit as the inline styling and error message was identical between the browsers. I was not aware of Blink, so apologise if I have reported this issue in the wrong place. I cannot test with Safari as I don't have an iOS platform I can use.
Wevah
Comment 3 2018-05-19 20:01:01 PDT
I see this in Safari 11.1 on macOS 10.13.4. Happens to me when loading text/plain files as well.
Daniel Bates
Comment 4 2018-05-19 21:31:15 PDT
(In reply to Wevah from comment #3) > I see this in Safari 11.1 on macOS 10.13.4. Happens to me when loading > text/plain files as well. Can you please elaborate? Are you using the same reproduction steps as in comment #0? What are the reproduction steps for a text/plain file? Just open a local file URL to a .txt file?
Wevah
Comment 5 2018-05-21 08:37:18 PDT
Local URLs aren't affected, I'm assuming since there's no CSP to evaluate. Here's an example URL that exhibits the issue: https://derailer.org/code/xcode/ifZero.pl (Sent as text/plain with a CSP header.)
Alex Ruar
Comment 6 2023-08-24 03:33:28 PDT
This is perhaps related: it seems that the CSP violation sometimes causes PDF height to be severely truncated in the viewer. Here is an example URL: https://rutar.org/papers/assouad_interpolation.pdf Inspecting the source shows the following error: > Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. The same PDF is viewable in Safari if first downloaded, with no issue. There do not seem to be issues viewing the PDF with non-webkit browsers either. There do not seem to be issues on iOS or iPadOS. Versions: Safari 16.5.2 (18615.2.9.11.10) Ventura 13.4.1 (c) (22F770820d)
Craig Francis
Comment 7 2024-07-31 04:25:28 PDT
I've got the same problem - If the Content-Security-Policy does not include style-src 'unsafe-inline' then the PDF is rendered in a 300px x 150px box in the top left: https://craig.dev/misc/safari/2024-07-21-pdf-style/pdf/ And it works when I add style-src 'unsafe-inline': https://craig.dev/misc/safari/2024-07-21-pdf-style/pdf/?style=unsafe-inline
Jim M.
Comment 8 2024-07-31 13:45:56 PDT
I described this issue with posts to stack overflow.com and reddit.com over one year ago. See https://stackoverflow.com/questions/76077768/webkit-pdf-display-seems-to-require-csp-with-unsafe-inline-style-src and https://www.reddit.com/r/webdev/comments/12yt7g6/problem_with_display_of_pdfs_in_safariwebkit/ A page that displays the issue is https://yourmacdoc.com/articles/files/That_One_Privacy_Guy's_Simple_VPN_Comparison_Chart_07-20-2019.pdf The website server's Content Security Policy (CSP) contains “style-src 'self’;” The page displays the .pdf in a small box while using Safari 17.5 (19617.1.12.11.6) whereas Safari Technology Preview Release 199 (Safari 18.0, WebKit 19619.1.22.5) displays the .pdf correctly. (macOS Sonoma 14.5).
Note You need to log in before you can comment on or make changes to this bug.