[Webkit-unassigned] [Bug 277416] New: Using back/forward buttons with PDF, and a CSP without connect-src 'self'
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 31 04:35:50 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=277416
Bug ID: 277416
Summary: Using back/forward buttons with PDF, and a CSP without
connect-src 'self'
Product: WebKit
Version: Safari 17
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: PDF
Assignee: webkit-unassigned at lists.webkit.org
Reporter: craig+webkit at craigfrancis.co.uk
CC: a_protyasha at apple.com
If you follow a link to a PDF and it includes a Content-Security-Policy that does not allow connect-src 'self', then use the browsers back and forward buttons; when you go forwards (to view the PDF again) it won't render the PDF, it will show a grey window, and these errors in the dev tools console:
[Error] Refused to connect to [URL] because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (pdf, line 0)
[Error] Refused to connect to [URL] because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (pdf, line 0)
[Error] Refused to connect to [URL] because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (pdf, line 0)
Example at:
https://craig.dev/misc/safari/2024-07-21-pdf-connect/
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240731/50252fdb/attachment.htm>
More information about the webkit-unassigned
mailing list