Allow inline PDF display in CSP header

2026-05-04 15:04:03 +00:00 · 2017-05-08 09:36:55 +02:00
parent 962cdef69a
commit 3de85975d6
2 changed files with 29 additions and 10 deletions
--- a/src/pretix/control/views/event.py
+++ b/src/pretix/control/views/event.py
@@ -316,7 +316,8 @@ class InvoicePreview(EventPermissionRequiredMixin, View):
    def get(self, request, *args, **kwargs):
        pdf = build_preview_invoice_pdf(request.event)
        resp = HttpResponse(pdf, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="invoice-preview.pdf"'
+        resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
+        resp['Content-Disposition'] = 'inline; filename="invoice-preview.pdf"'
        return resp


@@ -527,7 +528,11 @@ class TicketSettingsPreview(EventPermissionRequiredMixin, View):
        fname, mimet, data = tickets.preview(self.request.event.pk, self.output.identifier)
        resp = HttpResponse(data, content_type=mimet)
        ftype = fname.split(".")[-1]
-        resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
+        if mimet == "application/pdf":
+            resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
+            resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
+        else:
+            resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
        return resp

    def get_error_url(self) -> str: