Allow inline PDF display in CSP header

2026-05-07 15:34:02 +00:00 · 2017-05-08 09:36:55 +02:00
parent 962cdef69a
commit 3de85975d6
2 changed files with 29 additions and 10 deletions
--- a/src/pretix/presale/views/order.py
+++ b/src/pretix/presale/views/order.py
@@ -580,9 +580,15 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View):
            return render(self.request, "pretixbase/cachedfiles/pending.html", {})
        else:
            resp = FileResponse(ct.file.file, content_type=ct.type)
-            resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
-            )
+            if ct.type == "application/pdf":
+                resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
+                resp['Content-Disposition'] = 'inline; filename="{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
+                )
+            else:
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
+                )
            return resp

    def _download_position(self):
@@ -613,10 +619,17 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View):
            return render(self.request, "pretixbase/cachedfiles/pending.html", {})
        else:
            resp = FileResponse(ct.file.file, content_type=ct.type)
-            resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                self.output.identifier, ct.extension
-            )
+            if ct.type == "application/pdf":
+                resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
+                resp['Content-Disposition'] = 'inline; filename="{}-{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                    self.output.identifier, ct.extension
+                )
+            else:
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                    self.output.identifier, ct.extension
+                )
            return resp


@@ -646,5 +659,6 @@ class InvoiceDownload(EventViewMixin, OrderDetailMixin, View):
            return redirect(self.get_order_url())

        resp = FileResponse(invoice.file.file, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
+        resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
+        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(invoice.number)
        return resp