Issue 806202 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 271452
Owner:	dsinclair@chromium.org
Closed:	Jan 2018
Cc:	█ mkwst@chromium.org
Components:	Blink>SecurityFeature Internals>Plugins>PDF
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Unable to view https://cuoc.org.uk/docs/2016_risk_assessment.pdf due to CSP violation

Project Member Reported by foolip@chromium.org, Jan 26 2018

Issue description

This was reported on https://github.com/webcompat/web-bugs/issues/5095

It appears as though cuoc.org.uk is sending this CSP header:
default-src 'self'; script-src 'self' 'unsafe-inline' www.google-analytics.com; img-src * data:; child-src 'none'; object-src 'none'; media-src 'none'; block-all-mixed-content

And because we use use an <embed> object in https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/PluginDocument.cpp, it fails like this:
Refused to load plugin data from 'https://cuoc.org.uk/docs/2016_risk_assessment.pdf' because it violates the following Content Security Policy directive: "object-src 'none'".

I've confirmed that it works on a server without a CSP header.

Comment 1 by hnakashima@chromium.org, Jan 29 2018

Owner: dsinclair@chromium.org
Status: Unconfirmed (was: Untriaged)

Dan, who's a good owner for this?

Comment 2 by dsinclair@chromium.org, Jan 29 2018

Mergedinto: 271452
Status: Duplicate (was: Unconfirmed)

►

Issue 806202 link

Issue metadata

Unable to view https://cuoc.org.uk/docs/2016_risk_assessment.pdf due to CSP violation

Issue description

Comment 1 by hnakashima@chromium.org, Jan 29 2018

Comment 1 Deleted

Comment 2 by dsinclair@chromium.org, Jan 29 2018

Comment 2 Deleted

Sign in to add a comment