Closed itazula closed 6 months ago
I recommend asking in the application's dedicated forum. The issue does not seem related to the Bitnami configuration and usually they will have a better understanding of the specifics of the application there.
I've written a similar post at [https://www.redmine.org/issues/29405]. Because there are other CSP-related postings/issues submitted to Bitnami Support (regarding Wordpress, Discourse, Keycloak, etc.) I thought Bitnami Support might have some insight in this issue.
I think I solved this, but I really should have the change vetted by the Redmine developers, because it probably weakens security. I removed the word “sandbox” from ~/stack/redmine/app/controllers/attachments_controller.rb:
headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
I also reverted the change I had made to Apache's https.conf back to the original form.
Now, in Safari, PDF files are displayed within the browser from the very first try.
A recent comment has been made in the redmine.org thread where I previously contributed, discussing the utilization of the CSP support already provided within Rails. See https://www.redmine.org/issues/29405 This will probably lead to the ultimate solution.
Hmmm, although I had come to think otherwise, it may in fact be necessary for the CSP policy to be specified in the Apache httpd.conf file too. Caching and other factors may be creating some inconsistency in my testing. So, I've respecified the CSP. Together with the modification to attachments_controller.rb, we're good for now.
Platform
AWS
bndiagnostic ID know more about bndiagnostic ID
84a9ba13-0bce-6137-ab51-f3d2a662533e
bndiagnostic output
bndiagnostic was not useful. Could you please tell us why?
We limit access to ssh
Describe your issue as much as you can
Hello, I am using the Bitnami distribution of Redmine 5.0.6-3-r06 on Debian 11 (Bullseye). The Bitnami provided changelog can be seen at https://bitnami.com/stack/redmine/amidebian-x64-hvm-ebs-nami/changelog.txt
I believe that the lack of a proper CSP header is preventing the display of PDF attachments from within the Safari browser (Safari 17.3.1 on macOS Sonoma 14.3.1).
PDF files are displayed without issue in Chrome and Firefox.
The apache config file (/home/bitnami/stack/apache/conf/httpd.conf) contains a headers_module block.
The default headers_module is as follows:
With the above configuration, PDF file attachments are not displayed.
I revised the block by adding a CSP header:
(I realize that the CSP header I've written is not ideal security-wise.)
After making this addition, the PDF is not displayed on the first try. But after returning to the download screen and clicking on the link again, the PDF is displayed perfectly. Are there any ideas on how to cause the PDF to display properly from the very first try?