<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Inline styles added by Webkit when viewing PDFs cause CSP violation"

   href="https://bugs.webkit.org/show_bug.cgi?id=166630">166630</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Inline styles added by Webkit when viewing PDFs cause CSP violation

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Windows 10

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Minor

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>New Bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>j162011&#64;gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>If a site has a CSP that disallows inline styles then a CSP violation report is sent when viewing a PDF

Steps to reproduce 

1) View a PDF document [1] on a site with a CSP that disallows inline styles

2) Open developer tools and look at the console

Actual results

* An error message showing a CSP violation is shown

[Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: &quot;default-src 'self'&quot;. Either the 'unsafe-inline' keyword, a hash ('sha256-1kQs8h/ra9YlH+s6eZbKdSD/cn6Ljcz2Rv60pJnk/eY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Expected results

A CSP violation should not happen.

The inline styles could be moved to a stylesheet to stop this happening

[1] for example: <a href="https://cuoc.soc.srcf.net/eventdetails/2015/cityrace/flyer.pdf">https://cuoc.soc.srcf.net/eventdetails/2015/cityrace/flyer.pdf</a>

At the time of the bug report, the CSP on document [1] was

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'none'; img-src * data:; child-src 'none'; block-all-mixed-content; report-uri <a href="https://cfdfb69390e4d94a41b74106a231c475.report-uri.io/r/default/csp/reportOnly">https://cfdfb69390e4d94a41b74106a231c475.report-uri.io/r/default/csp/reportOnly</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>