https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42080 Bug ID: 42080 Summary: Invoice PDFs are forced downloads Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Acquisitions Assignee: koha-bugs@lists.koha-community.org Reporter: ephetteplace@cca.edu QA Contact: testopia@bugs.koha-community.org Our acquisitions technician preferred being able to view invoice PDFs directly in the browser, behavior which bug 41591 changed to prevent a SVG XSS attack. We would prefer if invoice-files.pl served files inline with a CSP header instead of forcing a download. Basically, replace -attachment => $file->{'file_name'} with 'Content-Security-Policy' => "default-src 'none'; script-src 'none';". Arguably, Koha could add an op=view here so we could use JS to change the current op=download links to op=view if other libraries do not want to view files inline. But my assumption is that what our staff want is popular; it's not just extra clicks to find the downloaded PDF but a context shift to a reader app outside the browser. A more involved solution would be using a condition to download SVGs but render other attachment types inline. I believe inferring mime type from file extension is fine in this context since a browser will not execute code in an SVG served with a PDF mimetype, so "malicious.svg.pdf" would not work. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.