Plugin no longer works on osTicket 1.18

[buff0k]

I upgraded my osTicket deployment to 1.18.1 and discovered that the plugin no longer functions. Am looking into the code but I suspect it may ba the javascript not really playing nice with osTicket 1.18.

[buff0k]

Can also confirm that the same problem exists with 1.17.5

[buff0k]

[10-Nov-2023 06:34:06 UTC] PHP Fatal error: Cannot make non static method Plugin::getInstance() static in class AttachmentPreviewPlugin in /include/plugins/attachment_preview/class.AttachmentPreviewPlugin.php on line 83

[jabrugger]

Same issue here.

[nandi96]

Hi everyone,

We found a temporary solution for this bug, simply install this plugin in Chrome or Edge:
https://chromewebstore.google.com/detail/pdf-viewer/oemmndcbldboiebfnladdacbdfmadadm

After install you must allow the active content (javascript) and File URL permission in the plugin's settings.

[phatair]

Hello,
is there any solution for this problem? Is this plugin still under development? We have the same problem, that the pdf is not displayed inline.
We are on osticket 1.18.1 and PHP 8.2.

I will test the chrome app but it would be nice if the plugin could be updated.
Are there any plans?

Best regards

[impedator]

Hello, I'm using this plugin with osTicket 1.18.1 with apache server, after initial challenges now works great, need to add new header in your apache virtualhost config:
Header set Content-Security-Policy "object-src 'self' blob:;"

[nandi96]

Tested, it works!

[buff0k]

@impedator does not work for me, pdfs still only showing blank.

[impedator]

@buff0k did you checked browser console for errors when opening page with ticket? please provide some info about environment.

[buff0k]

@impedator the issue I am geetting now is:
Refused to load plugin data from '' because it violates the following Content Security Policy directive: "object-src 'none'".

Note that I am using Nginx with the header included by:
add_header Content-Security-Policy "object-src 'self' blob:;";

I'm going to check other headers that might conflict.

[impedator]

@buff0k - try: add_header Content-Security-Policy "object-src '*' blob:;"; and check if this is working ok, if yes then investigate proper domain or source, remember that it is not a good idea to use * there ;-)

[buff0k]

@impedator
I am now hitting:
Refused to load plugin data from '' because it violates the following Content Security Policy directive: "object-src '*' blob:".
Not sure what is causing this but now Console also reports:
Refused to load plugin data from '' because it violates the following Content Security Policy directive: "object-src 'none'".

So Nginx is applying both policies but neither is passing it through as it runs into the none policy, I need to figure out what is setting that.

[nandi96]

Look this -> osTicket/osTicket#6624

[Cm-8]

Any news?

I have currently applied changes by @impedator

impedator/osTicket@3e40543#diff-9d3ede82cbb2ca67574bfe9f98bf9ccce84ccb967cadf16cb0ed80ce66d64363R3

[ramrajone]

Any news?

I have currently applied changes by @impedator

impedator/osTicket@3e40543#diff-9d3ede82cbb2ca67574bfe9f98bf9ccce84ccb967cadf16cb0ed80ce66d64363R3

This works for v1.17.5
include/staff/header.inc.php

updated to:
header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes()."; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self' blob:");

old:
header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes()."; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'");

[jayavman]

Totally worked for me :> thanks!

[buff0k]

I can confirm that this works in v1.18.1 as well.