RESOLVED DUPLICATE of bug 220665 223576
Safari needs csp with object-src : 'self' to render a PDF 
https://bugs.webkit.org/show_bug.cgi?id=223576
Summary Safari needs csp with object-src : 'self' to render a PDF
alexandre robuchon
Reported 2021-03-22 08:19:42 PDT
Macos: 10.15.7 Safari: Version 14.0 (15610.1.28.1.9, 15610) A pdf served with Content-Security-Policy header to "default-src 'none'; style-src 'self' 'unsafe-inline';" is not displayed in Safari. It complains about not having 'object-src' set to 'self'. This header works fine in Chrome, Edge, Firefox ... Is it something that will be fixed or is it the intended behavior ? thanks.
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2021-03-22 12:50:56 PDT
This seems unlikely to be intended if it's different from other browsers. Probably an artifact of having PDF loading implemented using plugin code paths.
Tim Horton
Comment 2 2021-03-22 13:35:46 PDT
Kate, is this related to https://trac.webkit.org/changeset/271650/webkit?
Tim Horton
Comment 3 2021-03-22 13:35:54 PDT
(or maybe a dupe of it?)
alexandre robuchon
Comment 4 2021-03-22 14:16:19 PDT
It looks related indeed. Sorry I didn't find the ticket. Is the patch in 14.0.3 or do I need to get the nightly to test this ?
Kate Cheney
Comment 5 2021-03-23 10:27:28 PDT
(In reply to alexandre robuchon from comment #4) > It looks related indeed. Sorry I didn't find the ticket. > > > Is the patch in 14.0.3 or do I need to get the nightly to test this ? You should be able to test it using the latest Safari Technology Preview (https://developer.apple.com/safari/technology-preview/).
alexandre robuchon
Comment 6 2021-03-23 11:54:40 PDT
It works like a charm. No plugin error.
alexandre robuchon
Comment 7 2021-03-23 11:57:23 PDT
*** This bug has been marked as a duplicate of bug 220665 ***
Note You need to log in before you can comment on or make changes to this bug.