[Redmine] PDF attachment files not displayed from Safari

[itazula]

Platform

AWS

bndiagnostic ID know more about bndiagnostic ID

84a9ba13-0bce-6137-ab51-f3d2a662533e

bndiagnostic output

✓ Resources: No issues found
? Connectivity: Found possible issues
✓ Mariadb: No issues found
✓ Processes: No issues found
✓ Apache: No issues found

bndiagnostic was not useful. Could you please tell us why?

We limit access to ssh

Describe your issue as much as you can

Hello, I am using the Bitnami distribution of Redmine 5.0.6-3-r06 on Debian 11 (Bullseye). The Bitnami provided changelog can be seen at https://bitnami.com/stack/redmine/amidebian-x64-hvm-ebs-nami/changelog.txt

I believe that the lack of a proper CSP header is preventing the display of PDF attachments from within the Safari browser (Safari 17.3.1 on macOS Sonoma 14.3.1).

PDF files are displayed without issue in Chrome and Firefox.

The apache config file (/home/bitnami/stack/apache/conf/httpd.conf) contains a headers_module block.

The default headers_module is as follows:

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

With the above configuration, PDF file attachments are not displayed.

I revised the block by adding a CSP header:

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
    # 2024-03-10 Paul added CSP
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" 
</IfModule>

(I realize that the CSP header I've written is not ideal security-wise.)

After making this addition, the PDF is not displayed on the first try. But after returning to the download screen and clicking on the link again, the PDF is displayed perfectly. Are there any ideas on how to cause the PDF to display properly from the very first try?

[mdhont]

I recommend asking in the application's dedicated forum. The issue does not seem related to the Bitnami configuration and usually they will have a better understanding of the specifics of the application there.

[itazula]

I've written a similar post at [https://www.redmine.org/issues/29405]. Because there are other CSP-related postings/issues submitted to Bitnami Support (regarding Wordpress, Discourse, Keycloak, etc.) I thought Bitnami Support might have some insight in this issue.

[itazula]

I think I solved this, but I really should have the change vetted by the Redmine developers, because it probably weakens security. I removed the word “sandbox” from ~/stack/redmine/app/controllers/attachments_controller.rb:

headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"

I also reverted the change I had made to Apache's https.conf back to the original form.

Now, in Safari, PDF files are displayed within the browser from the very first try.

[itazula]

A recent comment has been made in the redmine.org thread where I previously contributed, discussing the utilization of the CSP support already provided within Rails. See https://www.redmine.org/issues/29405 This will probably lead to the ultimate solution.

[itazula]

Hmmm, although I had come to think otherwise, it may in fact be necessary for the CSP policy to be specified in the Apache httpd.conf file too. Caching and other factors may be creating some inconsistency in my testing. So, I've respecified the CSP. Together with the modification to attachments_controller.rb, we're good for now.