Describe the Bug
Because of this line sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" on the iframe, Chrome doesn't load any PDFs inside of the live preview.
I use Payload to generate and preview PDFs which is no longer working after updating Payload.
167a01e#diff-8a3bcd413d0082f04c10fbe1f1fe9e4bde1dbafee782b359012164fdea16216dR122
I also noticed a warning in the console:
"An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing."
Link to the code that reproduces this issue
https://github.com/LeanderG/payload
Reproduction Steps
- Run
pnpm dev _community in the repo.
- Open an item on http://localhost:3000/admin/collections/pdf-preview
- The PDF does not load in Chrome and shows the message "This page has been blocked by Chrome" instead.
Which area(s) are affected?
area: live-preview
Environment Info
Binaries:
Node: 24.14.1
npm: 11.11.0
Yarn: N/A
pnpm: 10.27.0
Relevant Packages:
payload: 3.84.1
next: 16.2.3
@payloadcms/db-postgres: 4.0.0-beta.0
@payloadcms/live-preview-react: 4.0.0-beta.0
@payloadcms/typescript-plugin: 4.0.0-beta.0
react: 19.2.4
react-dom: 19.2.4
Operating System:
Platform: darwin
Arch: arm64
Version: Darwin Kernel Version 25.3.0: Wed Jan 28 20:56:35 PST 2026; root:xnu-12377.91.3~2/RELEASE_ARM64_T6030
Available memory (MB): 18432
Available CPU cores: 12
Describe the Bug
Because of this line
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"on the iframe, Chrome doesn't load any PDFs inside of the live preview.I use Payload to generate and preview PDFs which is no longer working after updating Payload.
167a01e#diff-8a3bcd413d0082f04c10fbe1f1fe9e4bde1dbafee782b359012164fdea16216dR122
I also noticed a warning in the console:
Link to the code that reproduces this issue
https://github.com/LeanderG/payload
Reproduction Steps
pnpm dev _communityin the repo.Which area(s) are affected?
area: live-preview
Environment Info