diff --git a/services/web/app/src/infrastructure/CSP.js b/services/web/app/src/infrastructure/CSP.js
index e8f9a90940..28f4f380d3 100644
--- a/services/web/app/src/infrastructure/CSP.js
+++ b/services/web/app/src/infrastructure/CSP.js
@@ -47,7 +47,7 @@ module.exports = function ({
   }
 }
 
-const buildDefaultPolicy = reportUri => {
+const buildDefaultPolicy = (reportUri, styleSrc) => {
   const directives = [
     `base-uri 'none'`, // forbid setting a "base" element
     `default-src 'none'`, // forbid loading anything from a "src" attribute
@@ -61,6 +61,10 @@ const buildDefaultPolicy = reportUri => {
     // NOTE: implement report-to once it's more widely supported
   }
 
+  if (styleSrc) {
+    directives.push(`style-src ${styleSrc}`)
+  }
+
   return directives.join('; ')
 }
 
@@ -98,5 +102,17 @@ function removeCSPHeaders(res) {
   res.removeHeader('Content-Security-Policy-Report-Only')
 }
 
+/**
+ * WARNING: allowing inline styles can open a security hole;
+ * this is intended only for use in specific circumstances, such as Safari's built-in PDF viewer.
+ */
+function allowUnsafeInlineStyles(res) {
+  res.set(
+    'Content-Security-Policy',
+    buildDefaultPolicy(undefined, "'unsafe-inline'")
+  )
+}
+
 module.exports.buildDefaultPolicy = buildDefaultPolicy
 module.exports.removeCSPHeaders = removeCSPHeaders
+module.exports.allowUnsafeInlineStyles = allowUnsafeInlineStyles