Project

General

Profile

Actions

Defect #40647

open

Attachment Download fails due to Content Security Policy in Safari

Added by Christian Thieme 7 months ago. Updated 4 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Attachments
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

Hello, recently an issue arised that attachment downloads (for instance PDF) don't work using Safari.

There is an error message in the Javascript console:

Blocked script execution in 'https://redmine.test.domain/attachments/download/1234/letter.pdf' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

It is triggered by the CSP in app/controllers/attachments_controller.rb

headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"

but is not affecting Firefox or Chrome so it might be a Safari Bug.

Redmine: 5.1.1
Mac OS Version: Sonoma
Safari Version: 17.4.1


Files

Actions

Also available in: Atom PDF