Content-Security-Policy"-header, containing the rule "
The symptom is that instead of showing the PDF, Chromium will just show a grey page with a tiny rectangle with rounded corners in the middle.
I fixed it by changing "
none" to "
self"; but I guess I should figure out which of the more specific policies it is that Chromium needs to be changed.
Some more digging reveals the I can keep "
default-src 'none'" if I add "
object-src 'self'", and Chromium will then display PDF's inline, so that's what I'm using now.