From fb1f6c65afde57d9d459f0a49586475b97cb992d Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Tue, 16 Jul 2019 09:16:33 +0200
Subject: [PATCH] Display invoices as inline PDF

They are not user-controllable enough to cause any harm here
---
 src/pretix/control/views/orders.py | 3 ++-
 src/pretix/presale/views/order.py  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/pretix/control/views/orders.py b/src/pretix/control/views/orders.py
index 08db73ebe8..1b61332a6d 100644
--- a/src/pretix/control/views/orders.py
+++ b/src/pretix/control/views/orders.py
@@ -1118,7 +1118,8 @@ class InvoiceDownload(EventPermissionRequiredMixin, View):
             invoice_pdf_task.apply(args=(self.invoice.pk,))
             return self.get(request, *args, **kwargs)
 
-        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(self.invoice.number)
+        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(self.invoice.number)
+        resp._csp_ignore = True  # Some browser's PDF readers do not work with CSP
         return resp
 
 
diff --git a/src/pretix/presale/views/order.py b/src/pretix/presale/views/order.py
index 90262701ad..9aa1b693b2 100644
--- a/src/pretix/presale/views/order.py
+++ b/src/pretix/presale/views/order.py
@@ -914,5 +914,6 @@ class InvoiceDownload(EventViewMixin, OrderDetailMixin, View):
         except FileNotFoundError:
             invoice_pdf_task.apply(args=(invoice.pk,))
             return self.get(request, *args, **kwargs)
-        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
+        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(invoice.number)
+        resp._csp_ignore = True  # Some browser's PDF readers do not work with CSP
         return resp