Fixed
- Documents: PDF previews no longer fail with "This page was blocked by Chrome" in Chromium-based browsers. The preview iframe dropped its
sandboxattribute (Chromium refuses to start its internal PDF viewer inside sandboxed frames) and the/documents/:id/previewendpoint now sends a PDF-specific Content-Security-Policy (default-src 'self') instead of the strictdefault-src 'none'that blocked the native viewer. PDFs are still served same-origin asapplication/pdfwithX-Content-Type-Options: nosniff, so no scripts can execute; non-PDF previews keep the strict policy.