Support

Admin Tools

#39058 "Risky Behavior in Frontend" setting causes issue with PDFs in Safari

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
3.10.11
PHP version
7.4.33
Admin Tools version
6.1.10

Latest post by 3by400Inc on Sunday, 04 June 2023 20:03 CDT

Friday, 02 June 2023 22:00 CDT

3by400Inc

Problem:
Links to PDF files were not opening properly in Safari. The width was 100% but the height was only at about 10%.

The console revealed the following error:

[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' appears in neither the style-src directive nor the default-src directive of the Content Security Policy.


Solution (sorta):

We determined that the Admin Tools htaccess maker setting labeled "Disable client-side risky behavior in frontend static content" resulted in the blockage of Safari's PDF viewer styling due to the styling being inline.

This ticket is meant mostly to be informative, in the event others experience the same issue. However, you may want to consider eliminating pdf/PDF from the file formats that have the "risky behavior on frontend" CSP applied when that setting is enabled.

Sunday, 04 June 2023 03:04 CDT

nicholas

This works as expected and as explained in the documentation. "Disable client-side risky behavior in frontend static content" is applied to all file types set up in “Frontend file types allowed in selected directories” in the folders defined in “Frontend directories where file type exceptions are allowed”.

If you expect an entire class of files (e.g. all files with a specific extension) to require loading external resources and/or execute JavaScript you need to set "Disable client-side risky behavior in frontend static content" to No and write your own Content-Security-Policy, which is infinitely tricky on a mass-distributed CMS where you have a number of software you have neither written yourself, nor can possibly know how exactly they work.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 04 June 2023 20:03 CDT

3by400Inc

Hi Nicholas - 

Yes, we understand, and thank you for the reply. However, what I hoped to save someone else time in troubleshooting by posting this ticket is that unique to the Safari browser, apparently, the browser's built-in PDF viewer inserts inline styling to simply display a PDF file. We are not loading any external resources in our own doing and we simply have links to local PDF files. These work as expected in all other tested browsers, but in Safari local PDFs will not display as expected unless style-src in the CSP includes 'unsafe-inline' due to Safari's less-than-stellar PDF viewing and unfortunate standing as the iPhone's default browser. 

So, with the Admin Tools default file formats listed in “Frontend file types allowed in selected directories” in the folders defined in “Frontend directories where file type exceptions are allowed”, and having "Disable client-side risky behavior in frontend static content" enabled, this will result in simple local PDF files unable to load properly in Safari when stored in a defined frontend directory. 

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!