Browser settings: Download PDF and PDFObject / CSP

[johnhunter]

This isn't an issue with PDFObject itself but I'm capturing it here in case anyone else has similar issues.

Chrome, Edge (and possibly other browsers) have a PDF documents setting that can impact PDFObject when not using PDFjs. If users set PDF documents to download as default then the document will not display in the browser.

The setting can be found at:

• chrome://settings/content/pdfDocuments
• edge://settings/content/pdfDocuments

When set to download the user will see the following:

Chrome:

Edge:

Note Edge has helpful instructions for users.

Further issues when you use CSP

If your site uses CSP and you restrict frames to specific urls then users will not see these messages. Rather, they will see the standard blocked content message shown in response to the CSP violation.

Chrome CSP blocked:

You also get this CSP error:

Refused to frame '' because it violates the following Content Security Policy directive: "frame-src 'self'".

So it seems when the download option is set then the browser intercepts the src property turning it to an empty string, which is likely to violate your typical CSP configuration.

Solutions

1. Tell users to turn off the download setting
2. Use the force forcePDFJS option

This is a hard one to debug so I hope its useful 🙂

[pipwerks]

Thanks John!

Great timing, we just happened to run into this same error at work last week.

[johnhunter]

Great timing, we just happened to run into this same error at work last week.

Haha - what a coincidence!

[pipwerks]

Closing, as this isn't something I can fix from within PDFObject. Thanks again for sharing, it's definitely a tricky one to troubleshoot.