Embed PDF file PaperMod theme

support
1

I use the theme PaperMOd and the hugo-embed-pdf-shortcode .
Locally, I see the PDF embedded but not on the public website.
Is there anything I miss?

2

Maybe :wink:

But without having places to look for, how could we find anything.

3

You are right.
This is the repo: GitHub - nicfab/nicfab_gh

4

The website is here: https://www.nicfab.eu.
See the last post.

5

Not sure what the “last” post is. The ones from July 30 and July 29 contain links to PDFs which both work. Those two posts are “last” in the sense of “most recently” but the first in the sense of “the first that you see on the page”.

Or do you mean “last” in the sense of “the post at the bottom of the page”? That one does not link to a PDF.

So, what are you referring to, and what exactly is the problem? It would be easier if you stated the problem clearly upfront and so that it’s easy and obvious how to reproduce it.

6

For the last post I refer to that one: The European Commission published the Second Report on the application of the General Data Protection Regulation | NicFab Blog
I mean that the PDF is not embedded and you don’t see it on the public website, while I can see it correctly embedded locally.
I also tried to comment the Content Security Policy in the NGINX file conf but nothing changed.

7

According to Firefox, your script-src CSP is set to
'self' https://cdn.jsdelivr.net/npm/pdfjs-dist@3.4.120/build/pdf.min.js https://matomo.nicfab.eu 'unsafe-inline' 'unsafe-eval'"

And then you try to load an external JS from https://latest.cactus.chat/cactus.js. As well as a worker script from another domain.

That’s not a Hugo issue. Check FF’s error messages for CSP conflicts and fix them.

8

I thoroughly commented on the Content Security Policy, but the PDF on the public website is not embedded; it works only locally.
I don’t know why.

9

It looks like CSP missing

On Netlify you can try _headers file in static folder


/*
Content-Security-Policy: base-uri 'self' 'unsafe-inline' 'unsafe-eval' https: data:
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
Access-Control-Allow-Origin: *
10

I solved. There were two issues:

  1. I made a mistake by installing the plugin hugo-embed-pdf-shortcode;
  2. I configured the NGINX directive add_header Content-Security-Policy properly.

Thank you for your support.

11

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.