mirror of
https://github.com/zulip/zulip.git
synced 2025-11-02 13:03:29 +00:00
4898fe7ebc
Our recent addition of Content-Security-Policy to the file uploads backend broke in-browser previews of PDFs. The content-types change in the last commit fixed loading PDFs for most users; but the result was ugly, because e.g. Chrome would put the PDF previewer into a frame (so there were 2 left scrollbars). There were two changes needed to fix this: * Loading the style to use the plugin. We corrected this by adding `style-src 'self' 'unsafe-inline';` * Loading the plugin. Our CSP blocked loading the PDf viewer plugin. To correct this, we add object-src 'self', and then limit the plugin-type to just the one for application/pdf. We verified this new CSP using https://csp-evaluator.withgoogle.com/ in addition to manual testing.