Support

Change "Allow direct access, except .php files, to these directories" to plugins/content/up/actions/pdf .

Remove the entries from "Allow direct access to these files" and "Allow direct access, including .php files, to these directories".

Disable "Protect against common file injection attacks" since the argument to viewer.html is an unencoded URL which triggers this protection.

I see the same files being blocked, which does not make sense given what we just did.

Did you click on Save & Create .htaccess? Clicking on Save Changes only updates the configuration in the database, it does not apply the changes to the site's .htaccess file.

If you already did that, do you have some kind of cache or CDN in front of your site? If so, you need to reset them to, otherwise they will be serving the previous state.

Can you send me a screenshot of your .htaccess Maker options?

The "Allow direct access, except .php files, to these directories" entry must read exactly plugins/content/up/actions/pdf without a leading or trailing slash. You currently have a trailing slash.

Under Server Protection and right above Exceptions From Server Protection find the "Disable client-side risky behavior in frontend static content" and set it to No.

Reasoning: You have a .html file which loads arbitrary JavaScript to render the PDF. When the aforementioned option is enabled, it prevents JavaScript from running.

In the "Allow direct access, except .php files, to these directories" remove the plugins/content/up/actions/pdf and add 

• plugins/content/up/actions 
• plugins/content/up/assets

Reasoning: You have two subdirectories with static media files under the plugin's directory: actions and assets. Explicitly allowing both to serve static files will remove any possibility that the .htaccess file is blocking access to these files. This is a stronger permission than merely having the plugins directory in the "Frontend directories where file type exceptions are allowed".

Are you absolutely sure that if you turn Front-end Protection off this page you were having a problem with does work?

The reason I am asking is that adding a folder to the "Allow direct access, except .php files, to these directories" means that Front-end Protection is completely disabled for it, with the sole exception being .php files (which are not part of this problem anyway).

However, I am also noting that the URL used by the plugin has another URL being passed as a URL parameter. This is generally something which will trigger a server protection on most hosts. This would normally lead to a 403 Forbidden error. If your server is configured to use custom error pages but these files, as is the case on pretty much every site, do not exist you get a 404 error instead.

If the problem persists if you turn off the Front-end Protection –which I need you to retest right now so we are absolutely certain– we've been wasting our time trying to do something with Admin Tools; you'd have to contact your host and ask them what custom code you need to add to your .htaccess to disable this protection, or at least this particular rule. If the problem does persist, the it is something I can help further with.