1628862 - Firefox 75 not loading PDF from BLOB, Security Error Content at...may not load data from blob:

Status: RESOLVED INACTIVE

(Core :: DOM: File, defect, P3)

Description

[Isaac Livingston]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

Updated to Firefox 75; used web app that worked yesterday, now getting security error and no embedded load of PDF documents.

The web app continues to work as expected in Chrome and Brave.

Actual results:

Attempted to request a PDF that is embedded, received white screen without any PDFJS frame and a console error: Security Error: Content at <my-url> may not load data from blob:<my-url>/481ecec8-e328-4cbb-8ef4-f4ba54d9cba5?saveName=<file-name>.pdf.

Expected results:

PDF should load in the PDFJS frame as usual.

Comment 1

[Isaac Livingston]

The resource's url is: http: //app.domain.com/area/controller/action

HTML
<iframe src="blob:http: //app.domain.com/5d66d02d-593d-4c27-bb66-db7330e4e0a8?saveName=file name 0000.pdf" style="height: 70vh; width: 100%;" type="application/pdf">
(... iframe goodness ...)
</iframe>

Comment 2

[pnparam]

I am also having the same problem in my application too. Even if the domain name is same, it shows a security error.

Comment 3

[pnparam]

@Isaac Livingston
I have found a workaround for the issue by omitting "?saveName=" part from the blob URL.
In your case, the below change should work if the saveName parameter is not an important thing your app:
<iframe src="blob:http: //app.domain.com/5d66d02d-593d-4c27-bb66-db7330e4e0a8" style="height: 70vh; width: 100%;" type="application/pdf">

Comment 4

[Isaac Livingston]

(In reply to pnparam from comment #3)

@Isaac Livingston
I have found a workaround for the issue by omitting "?saveName=" part from the blob URL.
In your case, the below change should work if the saveName parameter is not an important thing your app:
<iframe src="blob:http: //app.domain.com/5d66d02d-593d-4c27-bb66-db7330e4e0a8" style="height: 70vh; width: 100%;" type="application/pdf">

Thank you! This works for our needs. Good thing we have access to the source.

Comment 5

[Anne (:annevk)]

Could it be that Chrome had a different code path in your application? I cannot get blob: URLs with query parameters to work in Chrome.

Comment 6

[smorgan]

I'm seeing a variation on this issue with firefox unable to access a blob within the same domain:

Security Error: Content at http://192.168.6.111/ may not load data from blob:http://192.168.6.111/fd0192f0-91c8-437b-9154-191f31b1312e

Same thing occurs whether it's an FQDN, localhost or IP.

In my case it's setting the source for a video with videojs (popular video player) using the output of URL.createObjectURL(mediaSource);

This works fine in Chrome but not in Firefox.

Comment 7

[Isaac Livingston]

@smorgan

I'm rather certain we ended up writing a conditional statement with URL.createObjectURL() to form different outputs for Firefox and Chrome. If memory servers, the Chrome version required parameters while the Firefox version needed them to be omitted.

Comment 8

[smorgan]

@Isaac The reason I described my issue as a variation of this problem is that it's occurring even though there are no query string/parameters.

Comment 9

[Tom S. (please needinfo tschuster)]

Please provide a simple testcase (a standalone HTML page would be best) that reproduces this issue.

Comment 10

[Jens Stutte [:jstutte]]

(In reply to Tom Schuster [:evilpie] from comment #9)

Please provide a simple testcase (a standalone HTML page would be best) that reproduces this issue.

Same request to you, Isaac. Thanks for your support!

Comment 11

[Kagami Rosylight [:saschanaz] (they/them)]

Closing as the first affected version is very old, the referenced website http://app.domain.com/area/controller/action is not accessible anymore, and there is no minimal repro.