CSP webpage can render <OBJECT> PDF files from other origins.…

Fixed Issue #11850961

Details

Created
May 1, 2017
Privacy
This issue is public.
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

https://twitter.com/i/web/status/858039310146207749

Repro Steps:

  1. Open this webpage: https://www.cracking.com.ar/demos/pdfcsp 

Observed : The PDF embedded in this webpage opens
Expected: Content-Security-Policy
is enabled on this webpage and it should not open PDFs from other domains. Webpage itself explains the problem.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “James M.”

      Changed Assigned To to “Balaji B.”

      Changed Title from “@MSEdgeDev #edgebug #nobigdeal” to “@MSEdgeDev #edgebug #nobigdealCSP webpage can render &lt;OBJECT PDF&gt; files from other origins.…”

      Changed Assigned To to “Amit K.”

      Changed Steps to Reproduce

      Changed Status to “Confirmed”

      Changed Title from “@MSEdgeDev #edgebug #nobigdealCSP webpage can render &lt;OBJECT PDF&gt; files from other origins.…” to “CSP webpage can render <OBJECT> PDF files from other origins.…”

      Changed Assigned To from “Amit K.” to “Gourab K.”

      Changed Assigned To from “Gourab K.” to “Anoop P.”

      Changed Title from “CSP webpage can render <OBJECT> PDF files from other origins.…” to “CSP webpage can render <OBJECT> PDF files from other origins.…”

      Changed Assigned To from “Anoop P.” to “Prudhvi D.”

      Changed Status from “Confirmed” to “In progress”

      Changed Status from “In progress” to “Fixed”

    • Hello,

      Thank you for providing this information about the issue. We have confirmed the problem, and we are working on a solution for a future build of Edge. We are presently tracking this issue as a duplicate of an existing internal bug report. We look forward to additional feedback you may have on how we can improve Microsoft Edge.

      Best Wishes,
      The MS Edge Team

    You need to sign in to your Microsoft account to add a comment.

    Sign in