PDF Viewer in Firefox Download Button Does Nothing - Works in Chrome though
I really enjoy Firefox, but lately I've been having to go back to Chrome to get things done. The latest is that when I view a PDF in the browser the option to download the file does nothing. I then tried the same website on Google Chrome, the button worked and I was able to download the file.
I tried setting Firefox to open the PDF in Acrobat but there were no changes. I also tried using Firefox in Private mode in case an extension was causing a problem.
The website is the county records search site for Miami, Florida. Search for any name, view a record, the click on Document image. A PDF opens in the browser with a print option, and a download option. The download option does nothing when clicked on. Do the same on Google Chrome, then it does work.
Thanks for any help!
Enter about:config in the URL bar and set security.csp.enable = false. Then once again press the download button. Does it work now?Read this answer in context 👍 1
All Replies (6)
Enter about:config in the URL bar and set security.csp.enable = false. Then once again press the download button. Does it work now?
Thank You! That did help!! I was able to download the PDF.
It means that their security setup is messed up.
The site is using a custom PDF viewer in a frame in the page instead of Firefox's built-in PDF viewer or Chrome's PDF plugin. They aren't sending the actual PDF file, but a stream of data, and this is how they render the content.
As TyDraniu notes, Firefox is applying the site's Content Security Policy rules to the embedded viewer, which restrict the types of URLs the page can "load". I get this error in the Web Console for an example document when clicking the download button:
Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://onlineservices.miami-dadeclerk.com/cdfbf8bd-7c23-400a-ad52-560e0cd6aca7 (“default-src”).
The rule for default-src in the CSP header does not allow blob: URLs -- those only appear under img-src (for images) (same for the main page and for viewer.html):
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval';img-src 'self' blob: https:;
I don't know why Chrome behaves differently in applying the same CSP rules.
Could you ask the site to take a look at this problem?
Someone who has a better idea how pdf.js downloading works could file an issue on pdf.js.
You should keep CSP (Content Security Policy) enabled during normal browsing, especially on any site where you have an account you don't want to lose control of, since it can protect against alien content in web pages.
Thank You, I enabled it again. It's a government website so I don't think they would be very responsive. :-(