search

adobe / pdf-embed-api-samples

Samples for Adobe Document Services PDF Embed API
https://documentcloud.adobe.com/view-sdk-demo/index.html
MIT License
215 stars 131 forks source link

Adobe Embed API CSP Error Chrome 98 #65

Open simionrobert opened 1 month ago

simionrobert commented 1 month ago

Expected Behaviour

Adobe pdf embed services should also work in older browser versions like Chrome 98. In regards to this, the 'data:' element in the 'script-src' CSP HTTP header should exist.

Actual Behaviour

In Chrome vs 98, the iframe generated by the Adobe Embed API (https://github.com/adobe/pdf-embed-api-samples/tree/master/More%20Samples/Angular%20Samples) throws the error: Refused to load the script 'data:application/javascript;charset=utf-8;base64,Ly0...' because it violates the following Content Security Policy Directive: "script -src 'self' use.typekit.net ...".

Hence, the problem is that the 'data:' element in the 'script-src' CSP HTTP header is not included. Bellow is the CSP HTTP Header. default-src 'none'; upgrade-insecure-requests; base-uri 'self'; form-action 'none'; script-src 'self' use.typekit.net assets.adobedtm.com www.adobe.com/marketingtech/ prod.adobeccstatic.com/utilnav/ widget.uservoice.com by2.uservoice.com/t2/ assets.adobe.com api.demandbase.com/api/v2/ip.json commerce.adobe.com; style-src 'self' 'unsafe-inline' use.typekit.net prod.adobeccstatic.com/utilnav/ assets.adobe.com; connect-src 'self' dc-api.adobe.io dc-api-v2.adobe.io p13n.adobe.io/fg/api/ sstats.adobe.com dpm.demdex.net viewlicense.adobe.io/viewsdklicense/ viewlicense.adobe.io/domainVerification/ viewlicense.adobe.io/variations/service_delivery_auth performance.typekit.net use.typekit.net p.typekit.net dc-api.adobecontent.io dc-api-v2.adobecontent.io by2.uservoice.com/t2/ pgc.adobe.io/api/discovery files.acrobat.com/api/base_uris *.adobesign.com/ *.documents.adobe.com/ cctypekit.adobe.io/v1/ bps-il.adobe.io/jil-api/users/ *.amazonaws.com commerce.adobe.com send.acrobat.com; img-src 'self' blob: data: about: p.typekit.net images.pexels.com/photos/ *.documents.adobe.com/ *.adobesign.com/ *.echosign.com; frame-src 'self' https://acrobat.uservoice.com/ *.documents.adobe.com/ commerce.adobe.com *.adobesign.com/ *.echosign.com; font-src 'self' use.typekit.net; child-src 'self'; report-uri https://dc-api.adobe.io/system/csp?source=viewsdkprod

Reproduce Scenario (including but not limited to)

Steps to Reproduce

  1. Install Chrome 98
  2. Build and run the project
  3. Open the website and view the pdf file

Platform and Version

Chrome 98 Angular 18

Sample Code that illustrates the problem

Logs taken while reproducing problem

dannycabrera commented 4 weeks ago

Running into same. Applied a content-security-policy meta tag which did not help. Weird part is if that I open Developer Tools, the PDF will load so not sure what developer tools is doing to allow it to load. Some additional context, I'm loading a base64 string client-side which is loaded into the adobeDCView object via a promise.

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' https://use.typekit.net https://assets.adobedtm.com https://www.adobe.com/marketingtech/ https://prod.adobeccstatic.com/utilnav/ https://widget.uservoice.com https://by2.uservoice.com/t2/ https://assets.adobe.com https://api.demandbase.com/api/v2/ip.json https://commerce.adobe.com https://acrobatservices.adobe.com https://dc-api.adobe.io">