Sakurai/pdf.js
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[CRX] Do not load local files in non-local frames

Browse Source 
Ordinarily, local files cannot be embedded in a non-local website. Until
this commit, the extension allowed websites to embed local PDF files on
non-local (e.g. http(s)) websites. This unintended feature is now
disabled, to align better with Chrome's existing security policies
(=local file:-URLs cannot be loaded in a tab unless expicitly allowed).
This commit is contained in:
Rob Wu 2015-07-18 00:07:02 +02:00
parent 7065c1b8e9
commit 2d6b15d0d9
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
web/chromecom.js
View File

@ -113,6 +113,14 @@ var ChromeCom = (function ChromeComClosure() {
});
return;
}
if (/^file?:/.test(file)) {
if (top !== window && !/^file:/i.test(location.ancestorOrigins[0])) {
PDFViewerApplication.error('Blocked ' + location.ancestorOrigins[0] +
' from loading ' + file + '. Refused to load a local file in a ' +
' non-local page for security reasons.');
return;
}
}
PDFViewerApplication.open(file, 0);
});
};