Login/Register
WebKit .pdf display seems to require CSP with 'unsafe-inline’ style-src
Asked Answered
csspdfwebkitcontent-security-policy
D

1

6

I maintain a small website for a non-profit organization. Multiple .pdfs are available for viewing on the website.

I’ve come across an issue with .pdf display in the current version of Safari (v. 16.4) (under macOS Ventura) and have also now seen it in other WebKit browsers such as DuckDuckGo and Orion.

When the website CSP contains “style-src 'self’;” a link to open a .pdf (stored in the website’s directory) results in the height of the .pdf to be severely truncated to just 154 pixels.

The developer console reports "Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive od the Content Security Policy."

Changing the CSP to include “style-src 'self' 'unsafe-inline’;” results in the .pdf being displayed as expected.

Safari 15.6.1 under macOS Catalina, Firefox and Google Chrome all display the .pdf as expected without the addition of 'unsafe-inline’ to style-src.

Is this a WebKit bug or a purposeful change in the implementation of in-browser .pdf display?

I’m aware of the security concerns of using 'unsafe-inline’ in style-src as noted in CSP style-src: 'unsafe-inline' - is it worth it?

What alternative is available to circumvent this .pdf display issue that I’ve noted (assuming it’s not a bug that will be fixed)?

Dulcimer answered 22/4, 2023 at 2:40 Comment(6)
Although I never tried to implement a workaround that would allow me to continue to use CSP with “style-src 'self’;”, I have recently noted that the latest version of Safari (v. 17.0) will display a .pdf as one would expect it to be displayed.Dulcimer
Thank you for your helpful answer. I am still using macOS Ventura and therefore Safari 16, which explains why I am still experiencing the issue.Periphrastic
Safari 17 is available for macOS Sonoma, Ventura and Monterey. For the latter two, be sure you are running the latest version of that OS. You should be able to install safari 17 via System Settings/Preferences under General --> Software Update.Dulcimer
Software Update only offers me the Sonoma upgrade, no Safari update.Periphrastic
To install Safari 17 in Ventura, in Software Update, scroll way down and past the info about macOS Sonoma. Near the very bottom you should see "Other Updates Available" and a "More Info…" link. Click on the "More Info…" link and you will be offered the latest version of Ventura (if not already installed) and/or Safari 17.Dulcimer
Well, I had to restart my Mac. Only then did "Also available" appear.Periphrastic
D
1

I've found that Safari v. 17.0 running under macOS Ventura no longer shows the problematic display of a pdf file (that I reported in my initial query) when the host website server's Content Security Policy (CSP) contains style-src 'self'.

Relative to other WebKit browsers, the current version (v. 99.123-beta) of the Orion browser also displays the pdf as expected. However, the current version of the DuckDuckGo browser (v. 1.59.3) continues to incorrectly display a pdf when the website's CSP contains style-src 'self'.

I infer from this that updates to WebKit have fixed the pdf display issue and that the DuckDuckGo browser is using an older version of WebKit than is used by Safari and Orion.

Dulcimer answered 12/10, 2023 at 20:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.