[Webkit-unassigned] [Bug 172038] New: PDF Plugin gets blocked by CSP when object-src 'none' is set even if the PDF is served from other domain in separate tab.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 12 11:29:38 PDT 2017


            Bug ID: 172038
           Summary: PDF Plugin gets blocked by CSP when object-src 'none'
                    is set even if the PDF is served from other domain in
                    separate tab.
           Product: WebKit
           Version: Safari 10
          Hardware: Macintosh
                OS: macOS 10.12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: markus.backman at swedbank.se

Created attachment 309921

  --> https://bugs.webkit.org/attachment.cgi?id=309921&action=review

zip with screenshots

Our site, https://online.swedbank.se is using CSP to ensure that a customers online banking session is as secured as possible. The CSP contains among other object-src 'none'; to ensure that no plugins are allowed to be executed under our domain as we currently don't have that need. 

But with the latest Safari (Technology Preview have the same problem) we have gotten reports from our customer that the internal PDFPlugin in Safari gets blocked in the cases we transport a customer to a separate domain. That domain don't have any CSP policy defined by itself. Also when we open a PDF, in this case a electronic invoice that is hosted by a 3de party provider, we ensure to open a new tab so the customer can view the PDF in that tab and continue the online banking presence in the original tab.

Lastest Chrome, FF, Edge and IE (well not much of CSP there) opens the tab and allow the display of the PDF without the CSP policy tries to stop it. But of course this might be a different in how to interpret the CSP spec. If a domain opens a new tab and that points to another domain that serves a content the requires a plugin, should that domains CSP come into play here? Of course our site is driving traffic to the other domain but the PDF isn't served from our domain. The solution is of course to specify all domains that we load PDF from. This would most likely solve the problem. But would be good if we had one common view on how this should be handled over the different browsers.

I have tried to add a couple of screenshots as well as some proxy logs on the actual traffic that is going on. 

1.png -> the view of the customer before clicking to view the e-invoice
2.png -> the view of the customer after clicked the view link and a new tab has been opened
3.png -> network traffic one the POST to the external domain e-faktura1.stralfors.net which response with a 302 and redirect the traffic
4.png -> Request to the redirect to /invoiceViewer/showInvoiceSE.htm. Gives 200
5.png -> Response from the request, contains the PDF document

But the end results is that the CSP served from online.swedbank.se kicks in and stops the initiation of the PDFPlugin in Safari.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170512/d7f5cbf1/attachment.html>

More information about the webkit-unassigned mailing list