From ae51011dbaf9b2486797dd09ca8bff565fa7ea3b Mon Sep 17 00:00:00 2001
From: Joey Camerlo <85616869+vkael@users.noreply.github.com>
Date: Thu, 23 Feb 2023 16:59:25 +0100
Subject: [PATCH 1/2] PDFViewer / CSP - frame-src object-src blob:

---
 .../lib/Controller/FilesController.php        | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/packages/web-integration-oc10/lib/Controller/FilesController.php b/packages/web-integration-oc10/lib/Controller/FilesController.php
index 5c4a49b8ee2..e2e6557c387 100644
--- a/packages/web-integration-oc10/lib/Controller/FilesController.php
+++ b/packages/web-integration-oc10/lib/Controller/FilesController.php
@@ -124,16 +124,20 @@ public function getFile(string $path): Response {
 			$response->setContentSecurityPolicy($csp);
 		}
 		if (\strpos($path, "index.html") === 0) {
-            $csp = new ContentSecurityPolicy();
-            $csp->allowInlineScript(true);
-            $csp = $this->applyCSPOpenIDConnect($csp);
+			$csp = new ContentSecurityPolicy();
+			$csp->allowInlineScript(true);
+			$csp = $this->applyCSPOpenIDConnect($csp);
+			
+			// Required to support PDF Viewer
+			$csp->addAllowedFrameDomain('\'self\'');
+			$csp->addAllowedObjectDomain('\'self\' blob:');
 
-            // for now we set CSP rules manually, until we have sufficient requirements for a generic solution.
-            $csp = $this->applyCSPOnlyOffice($csp);
-            $csp = $this->applyCSPRichDocuments($csp);
+			// for now we set CSP rules manually, until we have sufficient requirements for a generic solution.
+			$csp = $this->applyCSPOnlyOffice($csp);
+			$csp = $this->applyCSPRichDocuments($csp);
 
-            $response->setContentSecurityPolicy($csp);
-        }
+			$response->setContentSecurityPolicy($csp);
+		}
 
 		return $response;
 	}

From 7b27c7c34af49229ba179ae747d26ae1510d5333 Mon Sep 17 00:00:00 2001
From: Joey C <joey.camerlo@losnia.com>
Date: Thu, 23 Feb 2023 17:14:59 +0100
Subject: [PATCH 2/2] Changelog

---
 changelog/unreleased/bugfix-oc10-pdf-display | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 changelog/unreleased/bugfix-oc10-pdf-display

diff --git a/changelog/unreleased/bugfix-oc10-pdf-display b/changelog/unreleased/bugfix-oc10-pdf-display
new file mode 100644
index 00000000000..18773fd28a2
--- /dev/null
+++ b/changelog/unreleased/bugfix-oc10-pdf-display
@@ -0,0 +1,7 @@
+Bugfix:  PDF display issue - Update CSP object-src policy
+
+PDF display is associated with object-src / frame-src policy with blob values. 
+
+We allow those for only : 'self' blob:;
+
+https://github.com/owncloud/web/pull/8498