Closed
Bug 889320
Opened 11 years ago
Closed 11 years ago
Firefox does not show PDF when Content Security Policy is enabled
Categories
(Firefox :: PDF Viewer, defect, P2)
Tracking
()
VERIFIED
FIXED
Firefox 26
People
(Reporter: bugs, Unassigned)
References
Details
(Whiteboard: [pdfjs-c-integration][pdfjs-f-fixed-upstream] https://github.com/mozilla/pdf.js/pull/3523)
Attachments
(1 file)
137.94 KB,
application/zip
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release) Build ID: 20130625125232 Steps to reproduce: 1. Upload a PDF to a site that secures downloads of previously uploaded files by a Content Security Policy. 2. Download the file (with content-dispostion inline). Actual results: Since Firefox uses pdf.js to display the PDF file, the PDFs are not rendered anymore. Here is an example for the response headers: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private, max-age=0 Content-Disposition: inline; filename="ECMA-262-5thEdition.pdf" Content-Security-Policy: default-src 'none' X-Content-Security-Policy: sandbox; default-src 'none' Content-Type: application/pdf Transfer-Encoding: chunked Date: Tue, 02 Jul 2013 11:31:50 GMT 2000 %PDF-1.4 %.... Expected results: Firefox should display the PDF as expected but should block all scripts that may be part of the downloaded source. Unfortunately this bug tends to move customers to disable CSP completely in order to remedy the defective behaviour. So please consider to disable pdf.js by default.
Comment 1•11 years ago
|
||
(In reply to bogomip from comment #0) > 1. Upload a PDF to a site that secures downloads of previously uploaded > files by a Content Security Policy. Concrete examples of site and pdf please
Keywords: testcase-wanted
The test case contains a HTTP server and a page for PDF download with and without content security policy.
Flags: needinfo?(bugs)
Attachment #781240 -
Attachment mime type: application/octet-stream → application/zip
Comment 3•11 years ago
|
||
Doesn't work on Chrome either.
Component: Networking → PDF Viewer
Product: Core → Firefox
Updated•11 years ago
|
Keywords: testcase-wanted
Updated•11 years ago
|
Priority: -- → P2
Hardware: x86_64 → All
Whiteboard: [pdfjs-c-integration]
Chrome with pdf.js seems to work. See https://github.com/mozilla/pdf.js/issues/3511.
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Depends on: 903452
Resolution: --- → FIXED
Whiteboard: [pdfjs-c-integration] → [pdfjs-c-integration][pdfjs-f-fixed-upstream] https://github.com/mozilla/pdf.js/pull/3523
Target Milestone: --- → Firefox 26
You need to log in
before you can comment on or make changes to this bug.
Description
•