Dangerous site - attackers on the site you're trying to visit might trick you

Question

I have an intranet site. This site is hosted on our internal server 2019 on IIS version 10.0. This website is just a web page that enables the employees to fill out their information and then populates a .pdf file from the information that they fill out. This .pdf file is embedded on the web page too. This is the code to embed .pdf file on web page:

using (MemoryStream stream = new MemoryStream())
     {
         string embed =  "<object data=\"{0}\" type=\"application/pdf\" width=\"1000px\" height=\"700px\">";
         embed += "If you are unable to view file, you can download from <a href = \"{0}\">here</a>";
         embed += " or download <a target = \"_blank\" href = \"http://get.adobe.com/reader/\">Adobe PDF Reader</a> to view the file.";
         embed += "</object>";
         TempData["Embed"] =  string.Format(embed, "/FilledPDFFiles/AckPack" + "_" + up.EmployeeId +".pdf");
         return View();
     }

Once the employee fills out the information on the web page and clicks the submit button, the entire blank .pdf file is populated and then shows the filled out information on the embedded .pdf file. Clicking on the submit button is show this error message:

Is there any way, I can avoid this message by some configuration on IIS side or in the application web.config file.

Answer 1

It’s probably your obsolete object tag. Use an iframe with src url, or just return a pdf.