Closed Bug 889320 Opened 11 years ago Closed 11 years ago

Firefox does not show PDF when Content Security Policy is enabled

Categories

(Firefox :: PDF Viewer, defect, P2)

Product:
Firefox
Component:
PDF Viewer
Version:
23 Branch
Platform:
All
Windows 7
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 26

People

(Reporter: bugs, Unassigned)

References

Details

(Whiteboard: [pdfjs-c-integration][pdfjs-f-fixed-upstream] https://github.com/mozilla/pdf.js/pull/3523)

Attachments

(1 file)

Test case in ZIP archive
137.94 KB, application/zip
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130625125232

Steps to reproduce:

1. Upload a PDF to a site that secures downloads of previously uploaded files by a Content Security Policy.

2. Download the file (with content-dispostion inline).


Actual results:

Since Firefox uses pdf.js to display the PDF file, the PDFs are not rendered anymore.

Here is an example for the response headers:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private, max-age=0
Content-Disposition: inline; filename="ECMA-262-5thEdition.pdf"
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: sandbox; default-src 'none'
Content-Type: application/pdf
Transfer-Encoding: chunked
Date: Tue, 02 Jul 2013 11:31:50 GMT

2000
%PDF-1.4
%....



Expected results:

Firefox should display the PDF as expected but should block all scripts that may be part of the downloaded source.

Unfortunately this bug tends to move customers to disable CSP completely in order to remedy the defective behaviour. So please consider to disable pdf.js by default.
Component: Untriaged → Networking
Product: Firefox → Core
(In reply to bogomip from comment #0)
> 1. Upload a PDF to a site that secures downloads of previously uploaded
> files by a Content Security Policy.
Concrete examples of site and pdf please
Keywords: testcase-wanted
Flags: needinfo?(bugs)
The test case contains a HTTP server and a page for PDF download with and without content security policy.
Flags: needinfo?(bugs)
Attachment #781240 - Attachment mime type: application/octet-stream → application/zip
Doesn't work on Chrome either.
Component: Networking → PDF Viewer
Product: Core → Firefox
Priority: -- → P2
Hardware: x86_64 → All
Whiteboard: [pdfjs-c-integration]
Chrome with pdf.js seems to work.

See https://github.com/mozilla/pdf.js/issues/3511.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → RESOLVED
Closed: 11 years ago
Depends on: 903452
Resolution: --- → FIXED
Whiteboard: [pdfjs-c-integration] → [pdfjs-c-integration][pdfjs-f-fixed-upstream] https://github.com/mozilla/pdf.js/pull/3523
Target Milestone: --- → Firefox 26
Verified fixed 28.0a1 (2013-10-30) Win 7
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: