Announcement

Collapse
No announcement yet.

Security Warning when loading attachment via iframe

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Security Warning when loading attachment via iframe

    Hello,

    The following code results in a security warning in my browser. Any idea how to fix. Also, I tried using an <object> tag instead but the problem there is upon loading the pdf multiple times in my modal window it tells me the contact was loaded insecurely. So I guess I have to use the iframe approach but this warning is annoying.

    HTML Code:
    <iframe id="iframe-pdf" class="iframe-pdf" frameborder="0" style="margin: 0px; height: 900px; width: 100%; opacity: 1" src="/?entryPoint=download&amp;id={{{attachmentId}}}"></iframe>
    Warning: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' appears in neither the style-src directive nor the default-src directive of the Content Security Policy.


    Approach # 2: (This works on the first modal window load, but if I open the modal again I get the error below.

    HTML Code:
    <object data="/?entryPoint=download&amp;id={{{attachmentId}}}" type="application/pdf" width="100%" height="900px">alt : <a target="_BLANK" href="/?entryPoint=download&amp;id={{{attachentId}}}">View PDF</a></object>
    Error
    The resource was requested insecurely.









    Tags: None
    • Likes 1
  • #2
    Hi,

    What exactly error do you get? Try setting the parameter clientXFrameOptionsHeaderDisabled to true in data/config-internal.php. https://docs.espocrm.com/administrat...rams/#security

    Comment

    • czcpf
      #2.1
      czcpf commented
      03-17-2023, 09:27 PM
      Editing a comment
      It isn't an error, it is a warning when I use iframe approach: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' appears in neither the style-src directive nor the default-src directive of the Content Security Policy.
  • #3
    I think this warning is either specific to the EntryPoint=download script or something with the pdf itself because no warnings are issues when doing something like this:

    HTML Code:
    <iframe id="iframe-pdf" class="iframe-pdf" frameborder="0" style="margin: 0px; height: 900px; width: 100%; opacity: 0" src="/"></iframe>

    Comment

    • #4
      UPDATE

      It seems if I add this in /EntryPoints/Download.php the warning goes away.

      Line 102 (Using Espo 7.2.7)
      PHP Code:
      $response->setHeader('Content-Security-Policy'"default-src 'self'; style-src 'unsafe-inline';"); 
      I wonder how secure is this and why style's are being applied inline. Maybe that is how browser's handle styles embedded in PDF's ? yuri, how insecure is doing this?


      UPDATE 2

      It turns out this has nothing to do with the iframe or any styles embedded in the pdf as far as I can tell. In fact, visiting the url directly without iframe shows the same warning. It looks like what happens is the UserAgent of the browser being used to render the PDF adds some styling to the content:

      HTML Code:
      <html><body marginwidth="0" marginheight="0" style="background-color: rgb(128, 128, 128);"><embed width="100%" height="100%" name="plugin" src="/?entryPoint=download&amp;id=" type="application/pdf"><div id="annotationContainer"><style>#annotationContainer {    overflow: hidden;     position: absolute;     pointer-events: none;     top: 0;     left: 0;     right: 0;     bottom: 0;     display: -webkit-box;     -webkit-box-align: center;     -webkit-box-pack: center; } .annotation {     position: absolute;     pointer-events: auto; } textarea.annotation {     resize: none; } input.annotation[type='password'] {     position: static;     width: 238px;     height: 20px;     margin-top: 110px;     font-size: 15px; } </style></div></body></html>
      So only way I can see overcoming the warning is to add something like below to Download.php

      PHP Code:
      $response->setHeader('Content-Security-Policy'"default-src 'self'");

      if(      $type == 'application/pdf') {
      $response->setHeader('Content-Security-Policy'"default-src 'self'; style-src 'unsafe-inline';");
      }      ​ 
      Last edited by czcpf; 03-18-2023, 12:29 AM.

      Comment

      Previous template Next
      Working...
      X