fix: embed pdf via direct link (#10491)

aonnikov · web-flow · commit c06ded12e2c6 · 2026-02-07T17:33:51.000+05:00
Signed-off-by: Alexander Onnikov &lt;Alexander.Onnikov@xored.com&gt;
diff --git a/packages/ui/src/components/EmbeddedPDF.svelte b/packages/ui/src/components/EmbeddedPDF.svelte
@@ -14,29 +14,11 @@
 -->
 
 <script lang="ts">
-  import { onDestroy } from 'svelte'
-  import Loading from './Loading.svelte'
-
   export let src: string
   export let name: string
   export let fit: boolean = false
   export let css: string | undefined = undefined
 
-  let iframeSrc: string | undefined = undefined
-
-  async function loadFile (src: string): Promise<void> {
-    if (iframeSrc !== undefined) {
-      URL.revokeObjectURL(iframeSrc)
-      iframeSrc = undefined
-    }
-
-    const response = await fetch(src)
-    const blob = await response.blob()
-    iframeSrc = URL.createObjectURL(blob)
-  }
-
-  $: void loadFile(src)
-
   let iframe: HTMLIFrameElement | undefined = undefined
 
   // eslint-disable-next-line @typescript-eslint/prefer-optional-chain
@@ -58,19 +40,9 @@
       }
     }
   }
-
-  onDestroy(() => {
-    if (iframeSrc !== undefined) {
-      URL.revokeObjectURL(iframeSrc)
-    }
-  })
 </script>
 
-{#if iframeSrc}
-  <iframe bind:this={iframe} class:fit src={iframeSrc + '#view=FitH&navpanes=0'} title={name} on:load />
-{:else}
-  <Loading />
-{/if}
+<iframe bind:this={iframe} class:fit src={src + '#view=FitH&navpanes=0'} title={name} on:load />
 
 <style lang="scss">
   iframe {
diff --git a/services/datalake/pod-datalake/src/handlers/blob.ts b/services/datalake/pod-datalake/src/handlers/blob.ts
@@ -25,6 +25,8 @@ import { type Datalake, wrapETag } from '../datalake'
 import { getBufferSha256, getFileSha256 } from '../hash'
 import { type TemporaryDir } from '../tempdir'
 
+const safeInlineTypes = ['application/pdf', 'image/png', 'image/jpeg', 'image/gif', 'image/webp']
+
 interface BlobParentRequest {
   parent: string | null
 }
@@ -76,13 +78,16 @@ export async function handleBlobGet (
     return
   }
 
+  const disposition = safeInlineTypes.includes(blob.contentType) ? 'inline' : 'attachment'
+
   res.setHeader('Accept-Ranges', 'bytes')
   res.setHeader('Content-Length', blob.bodyLength.toString())
   res.setHeader('Content-Type', blob.contentType ?? '')
   res.setHeader('Content-Security-Policy', "default-src 'none';")
+  res.setHeader('X-Content-Type-Options', 'nosniff')
   res.setHeader(
     'Content-Disposition',
-    filename !== undefined ? `attachment; filename*=UTF-8''${encodeURIComponent(filename)}` : 'attachment'
+    filename !== undefined ? `${disposition}; filename*=UTF-8''${encodeURIComponent(filename)}` : disposition
   )
   res.setHeader('Cache-Control', blob.cacheControl ?? cacheControl)
   res.setHeader('Last-Modified', new Date(blob.lastModified).toUTCString())
@@ -131,13 +136,16 @@ export async function handleBlobHead (
     return
   }
 
+  const disposition = safeInlineTypes.includes(head.contentType) ? 'inline' : 'attachment'
+
   res.setHeader('Accept-Ranges', 'bytes')
   res.setHeader('Content-Length', head.size.toString())
   res.setHeader('Content-Type', head.contentType ?? '')
   res.setHeader('Content-Security-Policy', "default-src 'none';")
+  res.setHeader('X-Content-Type-Options', 'nosniff')
   res.setHeader(
     'Content-Disposition',
-    filename !== undefined ? `attachment; filename*=UTF-8''${encodeURIComponent(filename)}` : 'attachment'
+    filename !== undefined ? `${disposition}; filename*=UTF-8''${encodeURIComponent(filename)}` : disposition
   )
   res.setHeader('Cache-Control', head.cacheControl ?? cacheControl)
   res.setHeader('Last-Modified', new Date(head.lastModified).toUTCString())
