Allow inline PDF display in CSP header

src/pretix/control/views/event.py

@@ -316,7 +316,8 @@ class InvoicePreview(EventPermissionRequiredMixin, View):
     def get(self, request, *args, **kwargs):
         pdf = build_preview_invoice_pdf(request.event)
         resp = HttpResponse(pdf, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="invoice-preview.pdf"'
+        resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
+        resp['Content-Disposition'] = 'inline; filename="invoice-preview.pdf"'
         return resp
 
 
@@ -527,7 +528,11 @@ class TicketSettingsPreview(EventPermissionRequiredMixin, View):
         fname, mimet, data = tickets.preview(self.request.event.pk, self.output.identifier)
         resp = HttpResponse(data, content_type=mimet)
         ftype = fname.split(".")[-1]
-        resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
+        if mimet == "application/pdf":
+            resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
+            resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
+        else:
+            resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
         return resp
 
     def get_error_url(self) -> str:

src/pretix/presale/views/order.py

@@ -580,9 +580,15 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View):
             return render(self.request, "pretixbase/cachedfiles/pending.html", {})
         else:
             resp = FileResponse(ct.file.file, content_type=ct.type)
-            resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
+            if ct.type == "application/pdf":
-                self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
+                resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
-            )
+                resp['Content-Disposition'] = 'inline; filename="{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
+                )
+            else:
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
+                )
             return resp
 
     def _download_position(self):
@@ -613,10 +619,17 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View):
             return render(self.request, "pretixbase/cachedfiles/pending.html", {})
         else:
             resp = FileResponse(ct.file.file, content_type=ct.type)
-            resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
+            if ct.type == "application/pdf":
-                self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
-                self.output.identifier, ct.extension
+                resp['Content-Disposition'] = 'inline; filename="{}-{}-{}-{}{}"'.format(
-            )
+                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                    self.output.identifier, ct.extension
+                )
+            else:
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                    self.output.identifier, ct.extension
+                )
             return resp
 
 
@@ -646,5 +659,6 @@ class InvoiceDownload(EventViewMixin, OrderDetailMixin, View):
             return redirect(self.get_order_url())
 
         resp = FileResponse(invoice.file.file, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
+        resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
+        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(invoice.number)
         return resp