问题
I have the CSP (Content-security-policy) plugin-types policy set to white-list pdf type as below. When trying to open a PDF file in iframe with src attribute, It is working well with browsers IE 11, and Firefox 47+ but failing in Chrome 50+. What else is required to make it working in chrome?
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; style-src 'self'; frame-src 'self' plugin-types application/pdf;
Error in chrome console
Resource interpreted as Document but transferred with MIME type application/pdf
Refused to load 'http://127.0.0.1/module123/open.do?id=10000' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/pdf'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
回答1:
I had a similar problem.
To resolve the problem, I needed to add blob: to the object-src directive.
Also, I did not need to specify plugin-type.
So it would be:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self' blob:; style-src 'self'; frame-src 'self';
来源:https://stackoverflow.com/questions/37795479/opening-a-pdf-embedded-in-iframe-in-chrome-with-content-security-policy-plugin