diff --git a/src/pretix/control/views/event.py b/src/pretix/control/views/event.py index acd59be1de..dd22c96235 100644 --- a/src/pretix/control/views/event.py +++ b/src/pretix/control/views/event.py @@ -316,7 +316,8 @@ class InvoicePreview(EventPermissionRequiredMixin, View): def get(self, request, *args, **kwargs): pdf = build_preview_invoice_pdf(request.event) resp = HttpResponse(pdf, content_type='application/pdf') - resp['Content-Disposition'] = 'attachment; filename="invoice-preview.pdf"' + resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'" + resp['Content-Disposition'] = 'inline; filename="invoice-preview.pdf"' return resp @@ -527,7 +528,11 @@ class TicketSettingsPreview(EventPermissionRequiredMixin, View): fname, mimet, data = tickets.preview(self.request.event.pk, self.output.identifier) resp = HttpResponse(data, content_type=mimet) ftype = fname.split(".")[-1] - resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype) + if mimet == "application/pdf": + resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'" + resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype) + else: + resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype) return resp def get_error_url(self) -> str: diff --git a/src/pretix/presale/views/order.py b/src/pretix/presale/views/order.py index fabc2c59e9..2b29c31ba2 100644 --- a/src/pretix/presale/views/order.py +++ b/src/pretix/presale/views/order.py @@ -580,9 +580,15 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View): return render(self.request, "pretixbase/cachedfiles/pending.html", {}) else: resp = FileResponse(ct.file.file, content_type=ct.type) - resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format( - self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension - ) + if ct.type == "application/pdf": + resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'" + resp['Content-Disposition'] = 'inline; filename="{}-{}-{}{}"'.format( + self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension + ) + else: + resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format( + self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension + ) return resp def _download_position(self): @@ -613,10 +619,17 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View): return render(self.request, "pretixbase/cachedfiles/pending.html", {}) else: resp = FileResponse(ct.file.file, content_type=ct.type) - resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format( - self.request.event.slug.upper(), self.order.code, self.order_position.positionid, - self.output.identifier, ct.extension - ) + if ct.type == "application/pdf": + resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'" + resp['Content-Disposition'] = 'inline; filename="{}-{}-{}-{}{}"'.format( + self.request.event.slug.upper(), self.order.code, self.order_position.positionid, + self.output.identifier, ct.extension + ) + else: + resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format( + self.request.event.slug.upper(), self.order.code, self.order_position.positionid, + self.output.identifier, ct.extension + ) return resp @@ -646,5 +659,6 @@ class InvoiceDownload(EventViewMixin, OrderDetailMixin, View): return redirect(self.get_order_url()) resp = FileResponse(invoice.file.file, content_type='application/pdf') - resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number) + resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'" + resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(invoice.number) return resp