File download in embedded app not allowed due to Content Security Policy

shevchenko
Tourist
7 1 1

Hello,

I am a developer behind the application Customs Buddy. This application helps merchants to generate commercial invoices based on their orders. After an invoice is generated - Merchant can download it as PDF.

But I am facing one limitation. I am not able to trigger a download of a PDF file with <a href="blob://" dowload>Download</a>. This happens due to a Content-Security-Policy setting, which arrives when URL "[store].myshopify.com/admin/apps/commercial-invoice-staging" is requested.

My question (ask) is if this is possible to either:

In my opinion, application developers will only benefit from such change and I do not see any potential security issues that this change can cause.

(as a current workaround, I have to open pdf in a new tab, where the merchant has to download it via browser PDF viewer, unfortunately not the best user experience)

Thanks a lot,
Viktor

0 Likes