chrome/test/data/pdf/pdf_iframe_csp.html · 7dad1c4475b73eacba0029db21683bcda832f8c7 · eriksson monteiro / tangled

Click to Open PDF: Put placeholder HTML in IFRAMEs directly · ad61fb27

Tommy C. Li authored Oct 05, 2018

Previously, when the user has a disabled PDF plugin (or no PDF plugin)
and the website has an IFRAMEed PDF, when Click to Open PDF was enabled,
we would inject a fake <object> tag into the IFRAME to force a PDF
plugin placeholder to appear.

This approach is problematic with CSP, as CSP may forbid OBJECT tags
from loading in IFRAMEs.

This CL instead injects the placeholder HTML directly into the IFRAME.

In the IFRAME case, the button is now a plain link, which should allow
the user to click it and download the PDF even if CSP forbids <object>
tags or JavaScript.

It still may trigger a CSP warning if IFRAME is prohibited from running
JavaScript, but that only hurts keyboard-accessibility, and doesn't
prevent the mainstream use case from working.

This CL also prevents the <object> tag from auto-opening the PDF after
download, which was probably a mistake, since that overrides the user
configurable "Always open with system viewer" option.

Bug: 887752, 879149, 878871
Change-Id: I900c08331d2cfc96ea7cd1cd46ea594445b0920b
Reviewed-on: https://chromium-review.googlesource.com/c/1246956Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tommy Li <tommycli@chromium.org>
Cr-Commit-Position: refs/heads/master@{#597192}

ad61fb27

pdf_iframe_csp.html 204 Bytes

Replace pdf_iframe_csp.html