Inline PDF Previews

:discourse2: Summary Inline PDF Previews is a desktop-only theme component that will allow you to create previews for pdf attachments.
:eyeglasses: Preview Preview on Discourse Theme Creator
:hammer_and_wrench: Repository Link
:open_book: New to Discourse Themes? Beginner’s guide to using Discourse Themes

Install this theme component




As mentioned above, this component will only work on desktop. There’s very little benefit to showing the previews on mobile since everything will be so small and very hard to read.

This component uses the native browser implementation to render the pdfs, so the results will look different on different browsers.

Also, please note that pdf uploads are not allowed by default in Discourse. If you want to allow your users to upload pdf file, then you’ll need add that extension to either the authorized_extensions if you want all of your users to be able to upload pdfs, or authorized_extensions_for_staff if you want to limit that to staff members.

:information_source: If using S3 you may also need to update your CORS policy. Please see post below: Inline PDF Previews - #106 by JammyDodger

How do I use it?

  1. install the component
  2. allow pdf uploads
  3. refresh the page
  4. upload a pdf

That’s it. The rest should work automatically.


Name Description
preview mode Inline: PDF attachments will be rendered inline within posts

New Tab: PDF attachment links will take the user to a new tab where the PDF will be rendered

:discourse2: Hosted by us? Theme components are available to use on our Standard, Business, and Enterprise plans.

Last edited by @JammyDodger 2024-06-13T06:23:25Z

Check documentPerform check on document:

I’m hosting my uploads and images on S3, and the preview is blocked by a “CORS policy: No ‘Access-Control-Allow-Origin’ header is present”.

Below is what Chrome console says:

Access to fetch at '' (redirected from '') from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.


I was able to fix this by adding the following CORS policy in my S3 bucket configuration.


It’s necessary to add, that if you see this text in the error message from origin '' has been where your domain is without slash / at the end, then in the CORS configuration you should also add your domain without slash at the end like this:

1 Like

I noticed that your uploads are on AWS so, the issue is probably CORS related (the component is not active on your site for me to confirm). See the post below yours.

thanks for sharing that!

Please note that this issue will only affect self-hosters that have set up something like S3. Self-hosters that are not using S3 will not run into this issue. Customers hosted by CDCK will also not need to worry about that since they already have that set up.

That said, CORS configuration is a bit outside of the scope of this topic. If your uploads bucket does not allow your own domain access, then that needs to be fixed regardless since there might be some other issues caused by that.

I’m a little bit unsure what happened here. Both cases seem to be working for me everytime I try. We can just chalk it up to a transitory network issue but please let me know if you see it again :+1:

I pushed a tiny update to this component that should improve the loading perception, there’s now a theme-color based placeholder instead of the default browser Iframe styles. It only shows up while the file is loading so 99% of the time, you won’t even notice it.

Given that most PDFs will load instantly I didn’t feel like adding a spinner would be worth it.


Would it be possible to make PDF Preview suppressable by prepending a space before the upload link, like with oneboxing? Sometimes you want a list of documents and not previews. Sometimes you want a preview.


I’m on Safari on MacOS Catalina, and I don’t have anything disabling in-browser PDF display—for instance, displays fine. But I’m still getting the “Blocked Plug-in” window/message when I view the preview in theme-creator.

Site-specific settings in Safari prefs aren’t any different than other websites.

Is that happening for anyone else?


Still not working for me on Safari in MacOS Big Sur. No special settings to blog plugins, and other PDFs display in the browser.

Safari Web Inspector has the following complaints when loading the preview page in theme-creator:
Unrecognized Content-Security-Policy directive 'worker-src'.
Refused to load blob: because it does not appear in the object-src directive of the Content Security Policy.


This would be a vast improvement to this component! Is that doable, @Johani?


Same issue for me on Firefox, but only after the 2nd visit :wink:
Is there a workaround for this? Manual declaration in the CSP config?

Thank you

1 Like

This has stopped working on my site. I get a big black box instead of the PDF preview:

Disabling plugins via Safe Mode makes no difference, nor does removing every other Theme component.

It has happened after moving image and file uploads to S3, which might be the culprit. I hope not, because they can’t be moved back easily!

I’m stumped. Shame, as it is a great component. Any suggestions?


I am seeing the same behaviour with s3 uploads on.


Are you still able to download the pdf ?
Still working for me (s3 + secure media and no cdn) :thinking:

1 Like

Yes, we are. Have the same setup as you (I think).

1 Like


  • my links in the messages are in the form of domain/secure-media-uploads/original/...
  • but in the console/network I can see that the actual downloads come from the bucket
    Do you see the amz credential ?

if not maybe this coud help ?

I also remember that something weird was happening when I tried to move a post from categories (or was it a copy/paste?) it finally worked when I re-uploaded the file.

1 Like

I am experiencing this same behavior on a fresh discourse installation and a fresh PDF attachment.


Thanks @Benjamin_D. Turns out I don’t have secure uploads enabled, and my links all look nice and work fine, such as this one:

So I’m stumped - especially as to why it works in two forums I run and not the other - S3 being the only difference. And that you have it working with S3. I’m really confused.

1 Like

After updating to the latest version of discourse, the pdf-attachements are no longer displayed. What could be the problem ?

1 Like

It may be a conflict with another component or theme. It’s working as expected for me. Start by disabling other components and try using the default theme if yours is different. Same with plugins.


Ok - I’ve made progress. Disabling S3 uploads fixes it for new uploads. But I’m left with a S3 / local mess if I go down that road!

If could be that I am not using the CDN thingo (CloudFront) which throws up the annoying errors on the admin page. I’ll have a crack setting that up and see if that works.

later - nope, a CDN makes no difference.

much later - have removed S3 uploads successfully (with a bit of sweat) so all good now.

Now, I’m keen to improve it! Is any clever person with the skills interested in giving this a crack?


I am searching for a plugin, which allows to open the pdf in a new tab.
Current behavior of my discourse is to allow download only.
Would that be possible with a similar theme ?