Open simionrobert opened 1 month ago
Running into same. Applied a content-security-policy meta tag which did not help. Weird part is if that I open Developer Tools, the PDF will load so not sure what developer tools is doing to allow it to load. Some additional context, I'm loading a base64 string client-side which is loaded into the adobeDCView object via a promise.
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' https://use.typekit.net https://assets.adobedtm.com https://www.adobe.com/marketingtech/ https://prod.adobeccstatic.com/utilnav/ https://widget.uservoice.com https://by2.uservoice.com/t2/ https://assets.adobe.com https://api.demandbase.com/api/v2/ip.json https://commerce.adobe.com https://acrobatservices.adobe.com https://dc-api.adobe.io">
Expected Behaviour
Adobe pdf embed services should also work in older browser versions like Chrome 98. In regards to this, the 'data:' element in the 'script-src' CSP HTTP header should exist.
Actual Behaviour
In Chrome vs 98, the iframe generated by the Adobe Embed API (https://github.com/adobe/pdf-embed-api-samples/tree/master/More%20Samples/Angular%20Samples) throws the error:
Refused to load the script 'data:application/javascript;charset=utf-8;base64,Ly0...' because it violates the following Content Security Policy Directive: "script -src 'self' use.typekit.net ...".
Hence, the problem is that the 'data:' element in the 'script-src' CSP HTTP header is not included. Bellow is the CSP HTTP Header.
default-src 'none'; upgrade-insecure-requests; base-uri 'self'; form-action 'none'; script-src 'self' use.typekit.net assets.adobedtm.com www.adobe.com/marketingtech/ prod.adobeccstatic.com/utilnav/ widget.uservoice.com by2.uservoice.com/t2/ assets.adobe.com api.demandbase.com/api/v2/ip.json commerce.adobe.com; style-src 'self' 'unsafe-inline' use.typekit.net prod.adobeccstatic.com/utilnav/ assets.adobe.com; connect-src 'self' dc-api.adobe.io dc-api-v2.adobe.io p13n.adobe.io/fg/api/ sstats.adobe.com dpm.demdex.net viewlicense.adobe.io/viewsdklicense/ viewlicense.adobe.io/domainVerification/ viewlicense.adobe.io/variations/service_delivery_auth performance.typekit.net use.typekit.net p.typekit.net dc-api.adobecontent.io dc-api-v2.adobecontent.io by2.uservoice.com/t2/ pgc.adobe.io/api/discovery files.acrobat.com/api/base_uris *.adobesign.com/ *.documents.adobe.com/ cctypekit.adobe.io/v1/ bps-il.adobe.io/jil-api/users/ *.amazonaws.com commerce.adobe.com send.acrobat.com; img-src 'self' blob: data: about: p.typekit.net images.pexels.com/photos/ *.documents.adobe.com/ *.adobesign.com/ *.echosign.com; frame-src 'self' https://acrobat.uservoice.com/ *.documents.adobe.com/ commerce.adobe.com *.adobesign.com/ *.echosign.com; font-src 'self' use.typekit.net; child-src 'self'; report-uri https://dc-api.adobe.io/system/csp?source=viewsdkprod
Reproduce Scenario (including but not limited to)
Steps to Reproduce
Platform and Version
Chrome 98 Angular 18
Sample Code that illustrates the problem
Logs taken while reproducing problem