Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Synapse's new CSP breaks viewing transferred PDFs in Chrome #8605

Closed
ara4n opened this issue Feb 13, 2019 · 2 comments
Closed

Synapse's new CSP breaks viewing transferred PDFs in Chrome #8605

ara4n opened this issue Feb 13, 2019 · 2 comments
Assignees
@turt2live
Labels
P1 T-Defect X-Release-Blocker

Comments

@ara4n
Copy link
Member

ara4n commented Feb 13, 2019

matrix-org/synapse#4284 added "sandbox" to the media repo's CSP. This was to stop certain attachment classes being able to get at the DOM when being viewed in a tab launched from riot.

However, empirically it means that PDFs are no longer visible in Chrome - you get a big grey page, and have to know to hit 'File Save' to save the actual attachment. Instead, we should either improve the CSP so it doesn't affect PDFs (which weren't the target we were protecting from), or special-case PDFs in Riot so they are downloaded immediately as attachments.
@ara4n
Copy link
Member Author

ara4n commented Feb 13, 2019

(p1 because high profile users are getting bitten by this)

@turt2live turt2live mentioned this issue Feb 13, 2019
Closed
@dbkr
Copy link
Member

dbkr commented Mar 29, 2019

I think the conclusion here is that we should just force them to download

@turt2live turt2live self-assigned this Mar 29, 2019
turt2live added a commit to matrix-org/matrix-react-sdk that referenced this issue Mar 29, 2019
@turt2live
Download PDFs as blobs to avoid empty grey screens
62ba7dd 
Fixes element-hq/element-web#8605

The grey screen of sadness comes up when Chrome tries to open the PDF but doesn't have the right CSP headers. To avoid this, we'll just force a download of the PDF through `fetch` and `Blob`. 

There are a few cases where the user might still get a grey screen though: namely if they open the URL in a new tab or when the event content is lying about the file type, or the file is too large to blobify.

`fetch` works in Chrome, Firefox, and our packaged Electron version.
@turt2live turt2live mentioned this issue Mar 29, 2019
Merged
turt2live added a commit to matrix-org/matrix-react-sdk that referenced this issue Mar 29, 2019
@turt2live
Download PDFs as blobs to avoid empty grey screens
4d15e16 
Fixes element-hq/element-web#8605

The grey screen of sadness comes up when Chrome tries to open the PDF but doesn't have the right CSP headers. To avoid this, we'll just force a download of the PDF through `fetch` and `Blob`. 

There are a few cases where the user might still get a grey screen though: namely if they open the URL in a new tab or when the event content is lying about the file type, or the file is too large to blobify.

`fetch` works in Chrome, Firefox, and our packaged Electron version.
turt2live added a commit to matrix-org/matrix-react-sdk that referenced this issue Mar 29, 2019
@turt2live
Download PDFs as blobs to avoid empty grey screens
662a0e4 
Fixes element-hq/element-web#8605

The grey screen of sadness comes up when Chrome tries to open the PDF but doesn't have the right CSP headers. To avoid this, we'll just force a download of the PDF through `fetch` and `Blob`. 

There are a few cases where the user might still get a grey screen though: namely if they open the URL in a new tab or when the event content is lying about the file type, or the file is too large to blobify.

`fetch` works in Chrome, Firefox, and our packaged Electron version.
@olmari olmari mentioned this issue Nov 8, 2019
Open
@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@turt2live turt2live

Labels
P1 T-Defect X-Release-Blocker
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bwindels @jryans @dbkr @turt2live @ara4n