User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release) Build ID: 20130625125232 Steps to reproduce: 1. Upload a PDF to a site that secures downloads of previously uploaded files by a Content Security Policy. 2. Download the file (with content-dispostion inline). Actual results: Since Firefox uses pdf.js to display the PDF file, the PDFs are not rendered anymore. Here is an example for the response headers: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private, max-age=0 Content-Disposition: inline; filename="ECMA-262-5thEdition.pdf" Content-Security-Policy: default-src 'none' X-Content-Security-Policy: sandbox; default-src 'none' Content-Type: application/pdf Transfer-Encoding: chunked Date: Tue, 02 Jul 2013 11:31:50 GMT 2000 %PDF-1.4 %.... Expected results: Firefox should display the PDF as expected but should block all scripts that may be part of the downloaded source. Unfortunately this bug tends to move customers to disable CSP completely in order to remedy the defective behaviour. So please consider to disable pdf.js by default.
(In reply to bogomip from comment #0) > 1. Upload a PDF to a site that secures downloads of previously uploaded > files by a Content Security Policy. Concrete examples of site and pdf please
Created attachment 781240 [details] Test case in ZIP archive The test case contains a HTTP server and a page for PDF download with and without content security policy.
Attachment #781240 - Attachment mime type: application/octet-stream → application/zip
Doesn't work on Chrome either.
Component: Networking → PDF Viewer
Product: Core → Firefox
Priority: -- → P2
Hardware: x86_64 → All
Chrome with pdf.js seems to work. See https://github.com/mozilla/pdf.js/issues/3511.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Depends on: 903452
Resolution: --- → FIXED
Whiteboard: [pdfjs-c-integration] → [pdfjs-c-integration][pdfjs-f-fixed-upstream] https://github.com/mozilla/pdf.js/pull/3523
Target Milestone: --- → Firefox 26
Verified fixed 28.0a1 (2013-10-30) Win 7
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.