Firefox does not show PDF when Content Security Policy is enabled

VERIFIED FIXED in Firefox 26

Status

()

Firefox
PDF Viewer
P2
normal
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: bogomip, Unassigned)

Tracking

23 Branch
Firefox 26
All
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [pdfjs-c-integration][pdfjs-f-fixed-upstream] https://github.com/mozilla/pdf.js/pull/3523)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130625125232

Steps to reproduce:

1. Upload a PDF to a site that secures downloads of previously uploaded files by a Content Security Policy.

2. Download the file (with content-dispostion inline).


Actual results:

Since Firefox uses pdf.js to display the PDF file, the PDFs are not rendered anymore.

Here is an example for the response headers:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private, max-age=0
Content-Disposition: inline; filename="ECMA-262-5thEdition.pdf"
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: sandbox; default-src 'none'
Content-Type: application/pdf
Transfer-Encoding: chunked
Date: Tue, 02 Jul 2013 11:31:50 GMT

2000
%PDF-1.4
%....



Expected results:

Firefox should display the PDF as expected but should block all scripts that may be part of the downloaded source.

Unfortunately this bug tends to move customers to disable CSP completely in order to remedy the defective behaviour. So please consider to disable pdf.js by default.

Updated

5 years ago
Component: Untriaged → Networking
Product: Firefox → Core
(In reply to bogomip from comment #0)
> 1. Upload a PDF to a site that secures downloads of previously uploaded
> files by a Content Security Policy.
Concrete examples of site and pdf please

Updated

5 years ago
Keywords: testcase-wanted

Updated

5 years ago
Flags: needinfo?(bugs)
(Reporter)

Comment 2

5 years ago
Created attachment 781240 [details]
Test case in ZIP archive

The test case contains a HTTP server and a page for PDF download with and without content security policy.
Flags: needinfo?(bugs)

Updated

5 years ago
Attachment #781240 - Attachment mime type: application/octet-stream → application/zip
Doesn't work on Chrome either.
Component: Networking → PDF Viewer
Product: Core → Firefox
Keywords: testcase-wanted

Updated

5 years ago
Priority: -- → P2
Hardware: x86_64 → All
Whiteboard: [pdfjs-c-integration]
(Reporter)

Comment 4

5 years ago
Chrome with pdf.js seems to work.

See https://github.com/mozilla/pdf.js/issues/3511.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Depends on: 903452
Resolution: --- → FIXED
Whiteboard: [pdfjs-c-integration] → [pdfjs-c-integration][pdfjs-f-fixed-upstream] https://github.com/mozilla/pdf.js/pull/3523
Target Milestone: --- → Firefox 26
Verified fixed 28.0a1 (2013-10-30) Win 7
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.