Merge pull request #4197 from Rob--W/firefox-verify-message-source

[security] Verify message source in Firefox add-on
2014-01-26 12:31:02 -08:00 · 2014-01-26 12:31:02 -08:00 · 10b9824cd0
commit 10b9824cd0
parent 520fdf2f6a 7bbff32a4d
1 changed files with 7 additions and 0 deletions
--- a/web/viewer.js
+++ b/web/viewer.js
@ -446,6 +446,7 @@ var PDFView = {
            (this.container.scrollWidth > this.container.clientWidth));
  },

+//#if (FIREFOX || MOZCENTRAL)
  initPassiveLoading: function pdfViewInitPassiveLoading() {
    var pdfDataRangeTransport = {
      rangeListeners: [],
@ -482,6 +483,11 @@ var PDFView = {
    };

    window.addEventListener('message', function windowMessage(e) {
+      if (e.source !== null) {
+        // The message MUST originate from Chrome code.
+        console.warn('Rejected untrusted message from ' + e.origin);
+        return;
+      }
      var args = e.data;

      if (typeof args !== 'object' || !('pdfjsLoadAction' in args))
@ -514,6 +520,7 @@ var PDFView = {
    });
    FirefoxCom.requestSync('initPassiveLoading', null);
  },
+//#endif

  setTitleUsingUrl: function pdfViewSetTitleUsingUrl(url) {
    this.url = url;