Partners and Developers

shevchenko · ‎05-12-2021

Hello,

I am a developer behind the application Customs Buddy. This application helps merchants to generate commercial invoices based on their orders. After an invoice is generated - Merchant can download it as PDF.

But I am facing one limitation. I am not able to trigger a download of a PDF file with <a href="blob://" dowload>Download</a>. This happens due to a Content-Security-Policy setting, which arrives when URL "[store].myshopify.com/admin/apps/commercial-invoice-staging" is requested.

My question (ask) is if this is possible to either:

add 'blob:' to 'frame-src' attribute in Content-Secutity-Policy header when our app is requested ([store].myshopify.com/admin/apps/commercial-invoice-staging)
or make this change globally

In my opinion, application developers will only benefit from such change and I do not see any potential security issues that this change can cause.

(as a current workaround, I have to open pdf in a new tab, where the merchant has to download it via browser PDF viewer, unfortunately not the best user experience)

Thanks a lot,
Viktor

nvent97 · ‎01-05-2022

Hello Shevchenko, I am currently facing the same error on a Shopify Aplication, were you able to fix or did you find any other solution?

Thanks in advance!

shevchenko · ‎01-06-2022

Hi, still using a workaround. This issue has to be pushed further to Shopify developers, but I do not have time to do it now.

Partners and Developers

File download in embedded app not allowed due to Content Security Policy

File download in embedded app not allowed due to Content Security Policy

Re: File download in embedded app not allowed due to Content Security Policy

Re: File download in embedded app not allowed due to Content Security Policy

Shopify Community

Support

Shopify

Quick Links