CSP webpage can render <OBJECT> PDF files from other origins.…

Confirmed Issue #11850961 • Assigned to Anoop P.

Details

Created
May 1, 2017
Privacy
This issue is public.
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

https://twitter.com/i/web/status/858039310146207749

Repro Steps:

  1. Open this webpage: https://www.cracking.com.ar/demos/pdfcsp 

Observed : The PDF embedded in this webpage opens
Expected: Content-Security-Policy
is enabled on this webpage and it should not open PDFs from other domains. Webpage itself explains the problem.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “James M.”

      Changed Assigned To to “Balaji B.”

      Changed Title from “@MSEdgeDev #edgebug #nobigdeal” to “@MSEdgeDev #edgebug #nobigdealCSP webpage can render &lt;OBJECT PDF&gt; files from other origins.…”

      Changed Assigned To to “Amit K.”

      Changed Steps to Reproduce

      Changed Status to “Confirmed”

      Changed Title from “@MSEdgeDev #edgebug #nobigdealCSP webpage can render &lt;OBJECT PDF&gt; files from other origins.…” to “CSP webpage can render <OBJECT> PDF files from other origins.…”

      Changed Assigned To from “Amit K.” to “Gourab K.”

      Changed Assigned To from “Gourab K.” to “Anoop P.”

      Changed Title from “CSP webpage can render <OBJECT> PDF files from other origins.…” to “CSP webpage can render <OBJECT> PDF files from other origins.…”

    You need to sign in to your Microsoft account to add a comment.

    Sign in