CSP: sandbox response header prevents showing inline PDFs in Safari #2839
Comments
kwin
changed the title
|
FTR: Adobe confirmed the issue in a support ticket (E-001329277) but is not planning to either revert the CSP header nor fixing this in some other way for Safari. |
|
Chrome removes CSP headers (https://chromium-review.googlesource.com/c/chromium/src/+/2176415) therefore it is very unlikely that setting CSP: sandbox on inline PDFs has any security impact (at least on Chrome) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The commit 18694ef#diff-431ef0a11cf72a24d447085f46d6470e6fa53f2ad883836c08cdb59e832912f8R195 introduced a regression for us that PDFs do no longer display inline in Safari.
Instead Safari just exposes an empty window without a reasonable error message to the user (as if the PDF is broken).
Other browser are working fine (so they seem to interpret the CSP value
sandboxdifferently compare also with whatwg/html#3958).The only error message is visible in the Dev Tools Console:
Blocked script execution in '<some AEM PDF asset path>.coredownload.inline.pdf' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.In order to reproduce just request a PDF asset with extension
coredownload.inline.pdfin Safari (Version 17.6 on Mac OS 14.6.1 in my case).The text was updated successfully, but these errors were encountered: