I’m trying to embed a PDF file using the Document widget, but the file is hosted on an HTTP site, while the widget only accepts HTTPS links. Modifying the URL to use HTTPS works in my browser after manually trusting the site but it fails to load in other players (Desktop and IPad).
I did try creating a custom widget too but I’m facing CORS error when going through that route.
Has anyone found any workarounds for this?
Unfortunately, changing the site itself to https is not an option now.
One more thing I’ve tried is to use Open Link instead of the Document Widget - This doesn’t work on an iPad. I’m getting the following error:- The resource could not be loaded because the App Transport Security policy requires the use of a secure connection
Thanks for the detail. Based on your testing, what you are seeing is expected. The Document widget can display PDF files, but it depends on being able to load the link inside the Tulip Player. The Player itself runs entirely over secure TLS connections. You can see this in the Tulip IT Security Guide, which explains that all end user access to Tulip uses TLS encryption. Because of this security model, links that are not served over a secure connection may fail when the Player tries to open them.
This behavior is even more strict on iPad. Your iPad error message matches iOS App Transport Security rules. Apple blocks non secure links unless the app developer explicitly opts out. The Tulip Player does not override Apple’s default security policy, so iPad will not load an HTTP link.
Here are a few workable options.
Upload the PDF directly into Tulip so the platform serves it over HTTPS. You can do this in the Files section of your app or in a Table File field.
Host the file on any location that provides an HTTPS link. Once the file is served securely, the Document widget and Open Link option will work across Player environments.
If the original server cannot be changed, a reverse proxy that provides an HTTPS front end is an option many teams use.
Custom widgets will not bypass these security rules because they are still loaded inside the secure Player environment.