diff --git a/controller/displaycontroller.php b/controller/displaycontroller.php index fadd2b2..1a80df1 100644 --- a/controller/displaycontroller.php +++ b/controller/displaycontroller.php @@ -49,6 +49,7 @@ public function showPdfViewer() { $policy->addAllowedChildSrcDomain('\'self\''); $policy->addAllowedFontDomain('data:'); $policy->addAllowedImageDomain('*'); + $policy->addAllowedConnectDomain('blob:'); $policy->allowEvalScript(false); $response->setContentSecurityPolicy($policy); diff --git a/js/workersrc.js b/js/workersrc.js index 51ad7ad..180d124 100644 --- a/js/workersrc.js +++ b/js/workersrc.js @@ -3,7 +3,7 @@ **/ function redirectIfNotDisplayedInFrame () { try { - if (window.frameElement) { + if (window.frameElement || location.href.indexOf('?file=blob') !== false) { return; } } catch (e) {} diff --git a/tests/unit/controller/displaycontrollertest.php b/tests/unit/controller/displaycontrollertest.php index bcbdd25..62a8ee3 100644 --- a/tests/unit/controller/displaycontrollertest.php +++ b/tests/unit/controller/displaycontrollertest.php @@ -55,6 +55,7 @@ public function testShowPdfViewer() { $policy->addAllowedChildSrcDomain('\'self\''); $policy->addAllowedFontDomain('data:'); $policy->addAllowedImageDomain('*'); + $policy->addAllowedConnectDomain('blob:'); $policy->allowEvalScript(false); $expectedResponse->setContentSecurityPolicy($policy);