From 2d6b15d0d99e5af6e77916c88d04ef2d45a1afab Mon Sep 17 00:00:00 2001
From: Rob Wu <rob@robwu.nl>
Date: Sat, 18 Jul 2015 00:07:02 +0200
Subject: [PATCH] [CRX] Do not load local files in non-local frames

Ordinarily, local files cannot be embedded in a non-local website. Until
this commit, the extension allowed websites to embed local PDF files on
non-local (e.g. http(s)) websites. This unintended feature is now
disabled, to align better with Chrome's existing security policies
(=local file:-URLs cannot be loaded in a tab unless expicitly allowed).
---
 web/chromecom.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/web/chromecom.js b/web/chromecom.js
index a4c9ee4aa..3c4a17e3c 100644
--- a/web/chromecom.js
+++ b/web/chromecom.js
@@ -113,6 +113,14 @@ var ChromeCom = (function ChromeComClosure() {
         });
         return;
       }
+      if (/^file?:/.test(file)) {
+        if (top !== window && !/^file:/i.test(location.ancestorOrigins[0])) {
+          PDFViewerApplication.error('Blocked ' + location.ancestorOrigins[0] +
+              ' from loading ' + file + '. Refused to load a local file in a ' +
+              ' non-local page for security reasons.');
+          return;
+        }
+      }
       PDFViewerApplication.open(file, 0);
     });
   };