New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 701816 link

Starred by 2 users
Status: Assigned
Owner:
mkwst@chromium.org
Buried. Ping if important.
Cc:
mkwst@chromium.org
rbasuvula@chromium.org
tsepez@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Compat



Sign in to add a comment

Content Security Policy prevent PDF opening in new window

Reported by buck...@gmail.com, Mar 15 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. Download the attached example
2. unzip 
3. follow instructions in readme.txt to get server running
4 click on HTML is content security policy
5 click on PDF that opens in new page.

What is the expected behavior?
The PDF should render.

What went wrong?
Just a blank page is displayed.

Does it occur on multiple sites: N/A

Is it a problem with a plugin? No 

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 57.0.2987.98  Channel: stable
OS Version: OS X 10.12.3
Flash Version: 

It appear that when there is a HTML restricted by a Content Security Policy and that page contains a link to a PDF document that opens in a new window will fail to open, if the link to a PDF opens in the same window then it all works correctly:

The CSP policy is: "sandbox allow-forms allow-scripts allow-top-navigation allow-popups allow-pointer-lock"
chrome-csp-pdfs.zip
8.7 KB Download

Comment 1 by buck...@gmail.com, Mar 15 2017 

This looks to be similar to https://bugs.chromium.org/p/chromium/issues/detail?id=271452 but they are different, in this case the CSP is on the HTML page that is opening the PDF rather than the PDF itself.

Comment 2 by ligim...@chromium.org, Mar 15 2017

Labels: Needs-Triage-M57

Comment 3 by rdsmith@chromium.org, Mar 15 2017

Components: Internals>Plugins>PDF

Comment 4 by thestig@chromium.org, Mar 15 2017

Cc: tsepez@chromium.org mkwst@chromium.org

Comment 5 by rbasuvula@chromium.org, Mar 17 2017

Cc: rbasuvula@chromium.org
Labels: TE-NeedsTriageHelp
This looks like out of scope for TE(Due to connect to Local host), hence adding the respective label for it to  triage further.

Comment 6 by mkwst@chromium.org, Mar 17 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Windows
Owner: alex...@chromium.org
Status: Assigned (was: Unconfirmed)
Documents placed into a sandbox can't load plugins. The PDF viewer is a plugin, so it's blocked in that context. That bit makes sense.

It's not clear to me, though, why the PDF loads in a sandboxed context. alexmos@, is it possible that we're not correctly resetting the sandbox bits on a frame when navigating the top level?

Comment 7 by mkwst@chromium.org, Mar 17 2017

Components: Blink>SecurityFeature>ContentSecurityPolicy
Owner: mkwst@chromium.org
Ah, I understand. The PDF works correctly when you navigate the top level, but does not work when you open a new window. This is working as intended, as sandbox properties propagate out to newly opened windows. If you add `allow-popups-to-escape-sandbox` to the sandbox policy, then newly opened windows will not inherit the sandbox flags, and your PDF will load as you expect it to.

Comment 8 by buck...@gmail.com, Mar 17 2017 

If this is considered the intended behaviour could a message be put in the console when sandboxing blocks content as this wasn't easy to track down.

Side note: That behaviour seems almost counter intuitive, that sandbox properties don't persist when you navigate in the current window, but do persist when you open a new window and have the document open there. Why don't I need a property of 'allow-navigation-to-escape-sandbox'?

Comment 9 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 10 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment