fix(security): allow same-origin PDF previews under CSP (#1253)

Firefox/Chrome enforce object-src, so object-src 'none' blocked the inline <object> PDF preview (worked only in Safari). Relax to 'self' for same-origin file previews.
2026-06-24 07:41:47 +00:00 · 2026-06-19 17:56:26 +02:00
parent 982b99f0f6
commit adbe15abc4
1 changed files with 3 additions and 1 deletions
@@ -119,7 +119,9 @@ export function applyGlobalMiddleware(
        workerSrc: ["'self'", "blob:"],
        childSrc: ["'self'", "blob:"],
        fontSrc: ["'self'", "https://fonts.gstatic.com", "data:"],
-        objectSrc: ["'none'"],
+        // 'self' so same-origin file previews can embed PDFs via <object>/<embed>
        // (Firefox/Chrome enforce object-src; 'none' broke inline PDF previews there).
        objectSrc: ["'self'"],
        frameSrc: ["'none'"],
        frameAncestors: ["'self'"],
        // Restrict <form> submission targets (form-action has no default-src