Change Details

I'm introducing a trivial PDF "rendering engine" for T13105. In Firefox, this works as-is. In Chrome, the actual `document.pdf` page must serve with an `object-src` Content-Security-Policy which includes itself. I'm modifying file responses to allow objects sourced from the same domain if the file is a PDF to support this, which I think is sufficiently narrow. In Safari, I can't quite figure out the rules. It needs the `object-src` CSP or it won't load at all. With the `object-src` CSP, it will load if you navigate to the URL directly (e.g., by copy-pasting). It will also work if you click a link to the URL. However, it does not work if you click a `target="_blank"` link, which is what I want to use. I also can't figure out how to get the Developer Console to open up in this case to see if there are any errors. Since this seems a lot like a bug in Safari and I'm the only user of Safari in the whole world, I'm going to leave the behavior in place for now. A workaround is to Command-Click the link instead (or "Open in New Tab") to open a tab yourself, which works (???).

I'm introducing a trivial PDF "rendering engine" for T13105. In Firefox, this works as-is. In Chrome, the actual `document.pdf` page must serve with an `object-src` Content-Security-Policy which includes itself. I'm modifying file responses to allow objects sourced from the same domain if the file is a PDF to support this, which I think is sufficiently narrow. In Safari, I can't quite figure out the rules. ~~It needs the `object-src` CSP or it won't load at all.~~ (Edit: No it doesn't?) With the `object-src` CSP, it will load if you navigate to the URL directly (e.g., by copy-pasting). It will also work if you click a link to the URL. However, it does not work if you click a `target="_blank"` link, which is what I want to use. I also can't figure out how to get the Developer Console to open up in this case to see if there are any errors. Since this seems a lot like a bug in Safari and I'm the only user of Safari in the whole world, I'm going to leave the behavior in place for now. A workaround is to Command-Click the link instead (or "Open in New Tab") to open a tab yourself, which works (???).

I'm introducing a trivial PDF "rendering engine" for T13105. In Firefox, this works as-is. In Chrome, the actual `document.pdf` page must serve with an `object-src` Content-Security-Policy which includes itself. I'm modifying file responses to allow objects sourced from the same domain if the file is a PDF to support this, which I think is sufficiently narrow. In Safari, I can't quite figure out the rules. ~~It needs the `object-src` CSP or it won't load at all.~~ (Edit: No it doesn't?) With the `object-src` CSP, it will load if you navigate to the URL directly (e.g., by copy-pasting). It will also work if you click a link to the URL. However, it does not work if you click a `target="_blank"` link, which is what I want to use. I also can't figure out how to get the Developer Console to open up in this case to see if there are any errors. Since this seems a lot like a bug in Safari and I'm the only user of Safari in the whole world, I'm going to leave the behavior in place for now. A workaround is to Command-Click the link instead (or "Open in New Tab") to open a tab yourself, which works (???).