Security Warning when loading attachment via iframe

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • czcpf
    Senior Member
    • Aug 2022
    • 160

    Security Warning when loading attachment via iframe

    Hello,

    The following code results in a security warning in my browser. Any idea how to fix. Also, I tried using an <object> tag instead but the problem there is upon loading the pdf multiple times in my modal window it tells me the contact was loaded insecurely. So I guess I have to use the iframe approach but this warning is annoying.

    HTML Code:
    <iframe id="iframe-pdf" class="iframe-pdf" frameborder="0" style="margin: 0px; height: 900px; width: 100%; opacity: 1" src="/?entryPoint=download&amp;id={{{attachmentId}}}"></iframe>
    Warning: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' appears in neither the style-src directive nor the default-src directive of the Content Security Policy.


    Approach # 2: (This works on the first modal window load, but if I open the modal again I get the error below.

    HTML Code:
    <object data="/?entryPoint=download&amp;id={{{attachmentId}}}" type="application/pdf" width="100%" height="900px">alt : <a target="_BLANK" href="/?entryPoint=download&amp;id={{{attachentId}}}">View PDF</a></object>
    Error
    The resource was requested insecurely.









  • yuri
    Member
    • Mar 2014
    • 8453

    #2
    Hi,

    What exactly error do you get? Try setting the parameter clientXFrameOptionsHeaderDisabled to true in data/config-internal.php. https://docs.espocrm.com/administrat...rams/#security
    If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

    Comment


    • czcpf
      czcpf commented
      Editing a comment
      It isn't an error, it is a warning when I use iframe approach: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' appears in neither the style-src directive nor the default-src directive of the Content Security Policy.
  • czcpf
    Senior Member
    • Aug 2022
    • 160

    #3
    I think this warning is either specific to the EntryPoint=download script or something with the pdf itself because no warnings are issues when doing something like this:

    HTML Code:
    <iframe id="iframe-pdf" class="iframe-pdf" frameborder="0" style="margin: 0px; height: 900px; width: 100%; opacity: 0" src="/"></iframe>

    Comment

    • czcpf
      Senior Member
      • Aug 2022
      • 160

      #4
      UPDATE

      It seems if I add this in /EntryPoints/Download.php the warning goes away.

      Line 102 (Using Espo 7.2.7)
      PHP Code:
      $response->setHeader('Content-Security-Policy', "default-src 'self'; style-src 'unsafe-inline';"); 
      
      I wonder how secure is this and why style's are being applied inline. Maybe that is how browser's handle styles embedded in PDF's ? yuri, how insecure is doing this?


      UPDATE 2

      It turns out this has nothing to do with the iframe or any styles embedded in the pdf as far as I can tell. In fact, visiting the url directly without iframe shows the same warning. It looks like what happens is the UserAgent of the browser being used to render the PDF adds some styling to the content:

      HTML Code:
      <html><body marginwidth="0" marginheight="0" style="background-color: rgb(128, 128, 128);"><embed width="100%" height="100%" name="plugin" src="/?entryPoint=download&amp;id=" type="application/pdf"><div id="annotationContainer"><style>#annotationContainer {    overflow: hidden;     position: absolute;     pointer-events: none;     top: 0;     left: 0;     right: 0;     bottom: 0;     display: -webkit-box;     -webkit-box-align: center;     -webkit-box-pack: center; } .annotation {     position: absolute;     pointer-events: auto; } textarea.annotation {     resize: none; } input.annotation[type='password'] {     position: static;     width: 238px;     height: 20px;     margin-top: 110px;     font-size: 15px; } </style></div></body></html>
      So only way I can see overcoming the warning is to add something like below to Download.php

      PHP Code:
      $response->setHeader('Content-Security-Policy', "default-src 'self'");
      
      if($type == 'application/pdf') {
      $response->setHeader('Content-Security-Policy', "default-src 'self'; style-src 'unsafe-inline';");
      }
      Last edited by czcpf; 03-18-2023, 12:29 AM.

      Comment

      Working...