search

adobe / aem-core-wcm-components

Standardized components to build websites with AEM.
https://docs.adobe.com/content/help/en/experience-manager-core-components/using/introduction.html
Apache License 2.0
747 stars 753 forks source link

CSP: sandbox response header prevents showing inline PDFs in Safari #2839

Open kwin opened 3 months ago

kwin commented 3 months ago

The commit https://github.com/adobe/aem-core-wcm-components/commit/18694ef650f936970720ffc370db7497a20ac7d9#diff-431ef0a11cf72a24d447085f46d6470e6fa53f2ad883836c08cdb59e832912f8R195 introduced a regression for us that PDFs do no longer display inline in Safari.

Instead Safari just exposes an empty window without a reasonable error message to the user (as if the PDF is broken). Other browser are working fine (so they seem to interpret the CSP value sandbox differently compare also with https://github.com/whatwg/html/issues/3958).

The only error message is visible in the Dev Tools Console:

Blocked script execution in '<some AEM PDF asset path>.coredownload.inline.pdf' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

In order to reproduce just request a PDF asset with extension coredownload.inline.pdf in Safari (Version 17.6 on Mac OS 14.6.1 in my case).

kwin commented 2 months ago

FTR: Adobe confirmed the issue in a support ticket (E-001329277) but is not planning to either revert the CSP header nor fixing this in some other way for Safari.

kwin commented 2 months ago

Chrome removes CSP headers (https://chromium-review.googlesource.com/c/chromium/src/+/2176415) therefore it is very unlikely that setting CSP: sandbox on inline PDFs has any security impact (at least on Chrome)