Sakurai/pdf.js
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Wraps worker script if its cross-origin location is detected.

Browse Source
This commit is contained in:
Yury Delendik 2016-01-15 15:05:46 -06:00
parent 7f821f5b78
commit 1e45f2d4e1
2 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/display/api.js
View File

@ -48,6 +48,7 @@ var error = sharedUtil.error;
var deprecated = sharedUtil.deprecated; var deprecated = sharedUtil.deprecated;
var info = sharedUtil.info; var info = sharedUtil.info;
var isArrayBuffer = sharedUtil.isArrayBuffer; var isArrayBuffer = sharedUtil.isArrayBuffer;
var isSameOrigin = sharedUtil.isSameOrigin;
var loadJpegStream = sharedUtil.loadJpegStream; var loadJpegStream = sharedUtil.loadJpegStream;
var stringToBytes = sharedUtil.stringToBytes; var stringToBytes = sharedUtil.stringToBytes;
var warn = sharedUtil.warn; var warn = sharedUtil.warn;
@ -1226,6 +1227,14 @@ var PDFWorker = (function PDFWorkerClosure() {
return PDFJS.fakeWorkerFilesLoadedCapability.promise; return PDFJS.fakeWorkerFilesLoadedCapability.promise;
} }
function createCDNWrapper(url) {
// We will rely on blob URL's property to specify origin.
// We want this function to fail in case if createObjectURL or Blob do not
// exist or fail for some reason -- our Worker creation will fail anyway.
var wrapper = 'importScripts(\'' + url + '\');';
return URL.createObjectURL(new Blob([wrapper]));
}
function PDFWorker(name) { function PDFWorker(name) {
this.name = name; this.name = name;
this.destroyed = false; this.destroyed = false;
@ -1261,6 +1270,14 @@ var PDFWorker = (function PDFWorkerClosure() {
var workerSrc = getWorkerSrc(); var workerSrc = getWorkerSrc();
try { try {
//#if GENERIC
// // Wraps workerSrc path into blob URL, if the former does not belong
// // to the same origin.
// if (!isSameOrigin(window.location.href, workerSrc)) {
// workerSrc = createCDNWrapper(
// combineUrl(window.location.href, workerSrc));
// }
//#endif
// Some versions of FF can't create a worker on localhost, see: // Some versions of FF can't create a worker on localhost, see:
// https://bugzilla.mozilla.org/show_bug.cgi?id=683280 // https://bugzilla.mozilla.org/show_bug.cgi?id=683280
var worker = new Worker(workerSrc); var worker = new Worker(workerSrc);

16
src/shared/util.js
View File

@ -293,6 +293,21 @@ function combineUrl(baseUrl, url) {
return new URL(url, baseUrl).href; return new URL(url, baseUrl).href;
} }
// Checks if URLs have the same origin. For non-HTTP based URLs, returns false.
function isSameOrigin(baseUrl, otherUrl) {
try {
var base = new URL(baseUrl);
if (!base.origin || base.origin === 'null') {
return false; // non-HTTP url
}
} catch (e) {
return false;
}
var other = new URL(otherUrl, base);
return base.origin === other.origin;
}
// Validates if URL is safe and allowed, e.g. to avoid XSS. // Validates if URL is safe and allowed, e.g. to avoid XSS.
function isValidUrl(url, allowRelative) { function isValidUrl(url, allowRelative) {
if (!url) { if (!url) {
@ -2291,6 +2306,7 @@ exports.isExternalLinkTargetSet = isExternalLinkTargetSet;
exports.isInt = isInt; exports.isInt = isInt;
exports.isNum = isNum; exports.isNum = isNum;
exports.isString = isString; exports.isString = isString;
exports.isSameOrigin = isSameOrigin;
exports.isValidUrl = isValidUrl; exports.isValidUrl = isValidUrl;
exports.loadJpegStream = loadJpegStream; exports.loadJpegStream = loadJpegStream;
exports.log2 = log2; exports.log2 = log2;