[Webkit-unassigned] [Bug 243324] New: webkit-pdfjs-viewer URI scheme should not be blocked by CSP

Thu Jul 28 16:44:34 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=243324

            Bug ID: 243324
           Summary: webkit-pdfjs-viewer URI scheme should not be blocked
                    by CSP
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: PDF
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: thorton at apple.com

Try loading: https://www.ameren.com/-/media/rates/files/missouri/uecsheet54rate1mres.ashx

It gets blocked by the page's CSP:

[Error] Refused to load webkit-pdfjs-viewer://pdfjs/web/viewer.html?file=#pagemode=none because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy.
[Error] Refused to load webkit-pdfjs-viewer://pdfjs/extras/adwaita/style.css because it appears in neither the style-src directive nor the default-src directive of the Content Security Policy.
[Error] Refused to load webkit-pdfjs-viewer://pdfjs/extras/content-script.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.

We should exempt our own internal webkit-pdfjs-viewer URI scheme from CSP checks. It's an implementation detail of the website. We actually added new public WPE/GTK port API to allow Epiphany to do this, webkit_web_view_set_cors_allowlist(), (which is suddenly longer needed now that we've moved PDF.js to WebKit).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220728/6e57f8ac/attachment.htm>