Hi @john-paul,
When I saw this, it really intrigued me, so I dove in…
From my current testing, it doesnt seem to be possible give then way I was doing it (refer below)
<object data="data:application/pdf;base64,base64_data_goes_here></object>
- you can also do
<embed>or<iframe>
The problem I found was this:
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src 'none'".
Refused to load plugin data from 'data:application/pdf;base64,base64_data_here' because it violates the following Content Security Policy directive: "object-src 'none'".
So Snooping around the html that Postman preloads, I found this:
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src http: https: 'unsafe-inline'; style-src http: https: 'unsafe-inline' ; img-src http: https: data:; font-src http: https:; connect-src http: https:; media-src http: https:; object-src 'none'; child-src 'none'; frame-src 'none'">
This is what its complaining about. So if I removed a buncha these tags (defaulf-src, object-src, frame-src), I was able to get a pdf to render! In chrome that is…
But, when sending a request, a new html file is made every time in the temp directory, so there is no way I can get around the auto generated html they have.
However, I should say that the HTML they have in there is regarded as best practice, so nothing bad on their end 
.
I havent tried javascript libraries (like pdf.js), but I forsee similar issues happening, but I cant confirm that.
I’d say you make this a feature request here #feature-requests.
Hope this helps! (I was secretly hoping I could get this to work)
Orest