[Webkit-unassigned] [Bug 187870] Cannot view PDF's on my.gov.au: "Refused to load https://my.gov.au/attachment/viewAttachment because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy"

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 20 13:59:00 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=187870

--- Comment #1 from Daniel Bates <dbates at webkit.org> ---
The page that opened the new window to the attachment has the following CSP policy delivered in an HTTP header:

default-src 'none'; connect-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-c4c9c3a25e9546538c72fb86046620397fcbea56' 'unsafe-inline' https://www.centrelink.gov.au; style-src 'self' 'unsafe-inline' https://www.centrelink.gov.au; form-action 'self'; plugin-types application/pdf application/x-shockwave-flash; frame-src 'self'; font-src 'self'; frame-ancestors 'none'

And <https://my.gov.au/attachment/viewAttachment> does not have a CSP policy.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180720/c4adc6a0/attachment.html>


More information about the webkit-unassigned mailing list