BUG-000149809 for ArcGIS Online

Bug ID Number	BUG-000149809
Submitted	June 7, 2022
Last Modified	June 5, 2024
Applies to	ArcGIS Online
Version found	N/A
Operating System	N/A
Operating System Version	N/A
Status	As Designed

Additional Information

For security reasons, PDFs from the web must have the required cross-origin resource sharing (CORS) headers to be embedded in a story or collection. This is documented here in the ArcGIS StoryMaps FAQ: https://doc.arcgis.com/en/arcgis-storymaps/get-started/faq.htm#anchor19. The only situation where this does not apply is for PDFs hosted on the arcgis.com domain. This is because this is the same domain where ArcGIS StoryMaps is hosted, so there are no cross-domain security requirements (see the Workaround section). Note that PDFs hosted on the esri.com domain are also subject to these requirements. It is the decision of the Esri marketing departments whether to include these headers or not and at least the PDF provided in the bug report does not currently have the required headers to allow embedding. This issue is closed since it is not a software bug or defect. The software is behaving as designed according to the security requirements.

Workaround

If there is a PDF file on the web that cannot be embedded in ArcGIS StoryMaps because it does not have the required cross-origin resource sharing (CORS) security headers, download the PDF file, upload it as an item to the ArcGIS account, share it with everyone, and use the public URL to embed it in a story or collection.

PDFs stored as items in ArcGIS Online and shared with everyone may be embedded in ArcGIS StoryMaps. This is because the PDF is being served from the same domain as where ArcGIS StoryMaps is hosted (arcgis.com), so there are no cross-domain security requirements.