166630 – Inline styles added by WebKit when viewing PDFs cause CSP violation

Bug 166630 - Inline styles added by WebKit when viewing PDFs cause CSP violation

Summary: Inline styles added by WebKit when viewing PDFs cause CSP violation

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Windows 10

Importance:	P2 Minor
Assignee:	Nobody

URL:	https://derailer.org/code/xcode/ifZer...
Keywords:

Depends on:
Blocks:

Reported:	2016-12-31 05:03 PST by j162011
Modified:	2023-08-24 03:33 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description j162011 2016-12-31 05:03:55 PST

If a site has a CSP that disallows inline styles then a CSP violation report is sent when viewing a PDF

Steps to reproduce 
1) View a PDF document [1] on a site with a CSP that disallows inline styles
2) Open developer tools and look at the console

Actual results
* An error message showing a CSP violation is shown

[Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-1kQs8h/ra9YlH+s6eZbKdSD/cn6Ljcz2Rv60pJnk/eY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Expected results
A CSP violation should not happen.
The inline styles could be moved to a stylesheet to stop this happening

[1] for example: https://cuoc.soc.srcf.net/eventdetails/2015/cityrace/flyer.pdf

At the time of the bug report, the CSP on document [1] was

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'none'; img-src * data:; child-src 'none'; block-all-mixed-content; report-uri https://cfdfb69390e4d94a41b74106a231c475.report-uri.io/r/default/csp/reportOnly

Comment 1 Daniel Bates 2016-12-31 09:17:21 PST

(In reply to comment #0)
> [Report Only] Refused to apply inline style because it violates the
> following Content Security Policy directive: "default-src 'self'". Either
> the 'unsafe-inline' keyword, a hash
> ('sha256-1kQs8h/ra9YlH+s6eZbKdSD/cn6Ljcz2Rv60pJnk/eY='), or a nonce
> ('nonce-...') is required to enable inline execution. Note also that
> 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
> 

I am assuming that you encountered this issue in Safari/WebKit (will check shortly) as this error message is from Chrome/Blink. What version and build number of Safari did you encounter this issue? You can find this version information in Safari > About Safari (the build number will be in parentheses).

Comment 2 j162011 2016-12-31 09:56:25 PST

(In reply to comment #1)
> (In reply to comment #0)
> > [Report Only] Refused to apply inline style because it violates the
> > following Content Security Policy directive: "default-src 'self'". Either
> > the 'unsafe-inline' keyword, a hash
> > ('sha256-1kQs8h/ra9YlH+s6eZbKdSD/cn6Ljcz2Rv60pJnk/eY='), or a nonce
> > ('nonce-...') is required to enable inline execution. Note also that
> > 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
> > 
> 
> I am assuming that you encountered this issue in Safari/WebKit (will check
> shortly) as this error message is from Chrome/Blink. What version and build
> number of Safari did you encounter this issue? You can find this version
> information in Safari > About Safari (the build number will be in
> parentheses).

Actually I encountered this issue in the following:
* Google Chrome 55.0.2883.87 m (64-bit)
* Google Chrome 57.0.2968.0 canary (64-bit)
* Opera 42.0.2393.94
All the above have [AppleWebKit/537.36] in the browser useragent

I assumed it was an issue with WebKit as the inline styling and error message was identical between the browsers. I was not aware of Blink, so apologise if I have reported this issue in the wrong place.

I cannot test with Safari as I don't have an iOS platform I can use.

Comment 3 Wevah 2018-05-19 20:01:01 PDT

I see this in Safari 11.1 on macOS 10.13.4. Happens to me when loading text/plain files as well.

Comment 4 Daniel Bates 2018-05-19 21:31:15 PDT

(In reply to Wevah from comment #3)
> I see this in Safari 11.1 on macOS 10.13.4. Happens to me when loading
> text/plain files as well.

Can you please elaborate? Are you using the same reproduction steps as in comment #0? What are the reproduction steps for a text/plain file? Just open a local file URL to a .txt file?

Comment 5 Wevah 2018-05-21 08:37:18 PDT

Local URLs aren't affected, I'm assuming since there's no CSP to evaluate.

Here's an example URL that exhibits the issue: https://derailer.org/code/xcode/ifZero.pl

(Sent as text/plain with a CSP header.)

Comment 6 Alex Ruar 2023-08-24 03:33:28 PDT

This is perhaps related: it seems that the CSP violation sometimes causes PDF height to be severely truncated in the viewer.

Here is an example URL: https://rutar.org/papers/assouad_interpolation.pdf

Inspecting the source shows the following error:

> Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.

The same PDF is viewable in Safari if first downloaded, with no issue. There do not seem to be issues viewing the PDF with non-webkit browsers either. There do not seem to be issues on iOS or iPadOS.

Versions:
Safari 16.5.2 (18615.2.9.11.10)
Ventura 13.4.1 (c) (22F770820d)