Content Security Policy Issue on Safari
New here? Learn about Bountify and follow @bountify to get notified of new bounties! x

Urgent situation. Please help. Bonus will be given.

I have a PDF viewer that is using pdf.js library.
Issue: Download button is not working on Safari iOs and OS.
The issue can be replicated using BrowserStack.com or using a real device.

Steps to reproduce:
1. Access link: https://pastebin.com/eZMFgBJG
2. Click on Save Button (down arrow icon) on top right.

Error on console: "Refused to load blob (...) because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy."

The pdf.js viewer is being loaded on an iframe. This is what is causing the error. If I call the pdf.js viewer directly (without the iframe), there is no error. The Content Security Policy error is triggered because the download action is being called within an iframe.

This is the URL of the iframe by itself: https://pastebin.com/VVMUty1U

I added CSP to both the parent and the iframe, with all permissions via PHP and via meta tag, but it seems it's not enough.
header("Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline';font-src * data: blob: 'unsafe-inline';frame-ancestors * data: blob: 'unsafe-inline'; child-src * data: blob: 'unsafe-inline'");

On the iframe I added: < meta http-equiv="Content-Security-Policy" content="default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline';font-src * data: blob: 'unsafe-inline';frame-ancestors * data: blob: 'unsafe-inline'; child-src * data: blob: 'unsafe-inline'">

Please help!!!

25 days ago
Tags
pdfjs
csp

Crowdsource coding tasks.

0 Solutions