I'm introducing a trivial PDF "rendering engine" for T13105.
In Firefox, this works as-is.
In Chrome, the actual document.pdf page must serve with an object-src Content-Security-Policy which includes itself. I'm modifying file responses to allow objects sourced from the same domain if the file is a PDF to support this, which I think is sufficiently narrow.
In Safari, I can't quite figure out the rules.
It needs the object-src CSP or it won't load at all. (Edit: No it doesn't?) With the object-src CSP, it will load if you navigate to the URL directly (e.g., by copy-pasting). It will also work if you click a link to the URL.
However, it does not work if you click a target="_blank" link, which is what I want to use.
I also can't figure out how to get the Developer Console to open up in this case to see if there are any errors.
Since this seems a lot like a bug in Safari and I'm the only user of Safari in the whole world, I'm going to leave the behavior in place for now. A workaround is to Command-Click the link instead (or "Open in New Tab") to open a tab yourself, which works (???).