diff --git a/docs/adr/0098-in-app-image-and-pdf-file-previews.md b/docs/adr/0098-in-app-image-and-pdf-file-previews.md
index 6e83cfd9..f63538c2 100644
--- a/docs/adr/0098-in-app-image-and-pdf-file-previews.md
+++ b/docs/adr/0098-in-app-image-and-pdf-file-previews.md
@@ -17,6 +17,7 @@ ADR-0086 introduced the `FilePreview` path for image binaries while keeping bina
- The scanner keeps the coarse `fileKind: "binary"` representation. Previewability stays a renderer concern inferred from the file extension in `src/utils/filePreview.ts`.
- Supported images render with `
` and supported PDFs render with the webview PDF object renderer, both using Tauri asset URLs from `convertFileSrc`.
+- The Tauri CSP permits scoped asset URLs in `object-src` so PDF objects can load vault-backed files without broadening script, connect, or image policy.
- PDF preview fallback content lives inside the PDF object so unsupported or failed renderers still expose an explicit "Open in default app" escape hatch.
- Note-list rows for previewable images and PDFs remain clickable and carry file-specific indicators; unsupported binary rows stay muted and non-clickable.
- `Escape` on the preview surface returns keyboard focus to the note list, matching the existing image-preview keyboard behavior.
diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json
index 415f4bdb..0d8f00bc 100644
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@@ -37,7 +37,7 @@
"style-src-attr": "'unsafe-inline'",
"font-src": "'self' data: https://fonts.gstatic.com",
"media-src": "'self' data: blob: https:",
- "object-src": "'none'"
+ "object-src": "'self' asset: http://asset.localhost"
},
"assetProtocol": {
"enable": true,
diff --git a/src/utils/tauriCsp.test.ts b/src/utils/tauriCsp.test.ts
index 2aefef22..308084b6 100644
--- a/src/utils/tauriCsp.test.ts
+++ b/src/utils/tauriCsp.test.ts
@@ -11,4 +11,12 @@ describe('Tauri Content Security Policy', () => {
expect(csp['style-src-elem']).toContain('https://fonts.googleapis.com')
expect(csp['style-src-attr']).toBe("'unsafe-inline'")
})
+
+ it('allows PDF object previews from scoped Tauri asset URLs', () => {
+ const config = JSON.parse(readFileSync(`${process.cwd()}/src-tauri/tauri.conf.json`, 'utf8'))
+ const csp = config.app.security.csp as Record
+
+ expect(csp['object-src']).toContain('asset:')
+ expect(csp['object-src']).toContain('http://asset.localhost')
+ })
})