https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42080
Bug ID: 42080
Summary: Invoice PDFs are forced downloads
Initiative type: ---
Sponsorship ---
status:
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Acquisitions
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
Our acquisitions technician preferred being able to view invoice PDFs directly
in the browser, behavior which bug 41591 changed to prevent a SVG XSS attack.
We would prefer if invoice-files.pl served files inline with a CSP header
instead of forcing a download. Basically, replace -attachment =>
$file->{'file_name'} with 'Content-Security-Policy' => "default-src 'none';
script-src 'none';".
Arguably, Koha could add an op=view here so we could use JS to change the
current op=download links to op=view if other libraries do not want to view
files inline. But my assumption is that what our staff want is popular; it's
not just extra clicks to find the downloaded PDF but a context shift to a
reader app outside the browser.
A more involved solution would be using a condition to download SVGs but render
other attachment types inline. I believe inferring mime type from file
extension is fine in this context since a browser will not execute code in an
SVG served with a PDF mimetype, so "malicious.svg.pdf" would not work.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
